Configuring Azure File Sync network endpoints

Azure Files and Azure File Sync provide two main types of endpoints for accessing Azure file shares:

  • Public endpoints, which have a public IP address and can be accessed from anywhere in the world.
  • Private endpoints, which exist within a virtual network and have a private IP address from within the address space of that virtual network.

For both Azure Files and Azure File Sync, the Azure management objects, the storage account and the Storage Sync Service respectively, control both the public and private endpoints. The storage account is a management construct that represents a shared pool of storage in which you can deploy multiple file shares, as well as other storage resources, such as blob containers or queues. The Storage Sync Service is a management construct that represents registered servers, which are Windows file servers with an established trust relationship with Azure File Sync, and sync groups, which define the topology of the sync relationship.

This article focuses on how to configure the networking endpoints for both Azure Files and Azure File Sync. To learn more about how to configure networking endpoints for accessing Azure file shares directly, rather than caching on-premises with Azure File Sync, see Configuring Azure Files network endpoints.

We recommend reading Azure File Sync networking considerations prior to reading this how to guide.

Prerequisites

This article assumes that:

  • You have an Azure subscription. If you don't already have a subscription, then create a free account before you begin.
  • You have already created an Azure file share in a storage account which you would like to connect to from on-premises. To learn how to create an Azure file share, see Create an Azure file share.
  • You have already created a Storage Sync Service and registered your Windows file server with it. To learn how to deploy Azure File Sync, see Deploying Azure File Sync.

Additionally:

Create the private endpoints

When you creating a private endpoint for an Azure resource, the following resources are deployed:

  • A private endpoint: An Azure resource representing either the private endpoint for the storage account or the Storage Sync Service. You can think of this as a resource that connects your Azure resource and a network interface.
  • A network interface (NIC): The network interface that maintains a private IP address within the specified virtual network/subnet. This is the exact same resource that gets deployed when you deploy a virtual machine, however instead of being assigned to a VM, it's owned by the private endpoint.
  • A private DNS zone: If you've never deployed a private endpoint for this virtual network before, a new private DNS zone will be deployed for your virtual network. A DNS A record will also be created for Azure resource in this DNS zone. If you've already deployed a private endpoint in this virtual network, a new A record for Azure resource will be added to the existing DNS zone. Deploying a DNS zone is optional, however highly recommended to simplify the DNS management required.

Note

This article uses the DNS suffixes for the Azure Public regions, core.windows.net for storage accounts and afs.azure.net for Storage Sync Services. This commentary also applies to Azure Sovereign clouds such as the Azure US Government cloud - just substitute the the appropriate suffixes for your environment.

Create the storage account private endpoint

Navigate to the storage account for which you would like to create a private endpoint. In the table of contents for the storage account, select Private endpoint connections, and then + Private endpoint to create a new private endpoint.

A screenshot of the private endpoint connections item in the storage account table of contents

The resulting wizard has multiple pages to complete.

In the Basics blade, select the desired resource group, name, and region for your private endpoint. These can be whatever you want, they don't have to match the storage account in any way, although you must create the private endpoint in the same region as the virtual network you wish to create the private endpoint in.

A screenshot of the Basics section in the create private endpoint section

In the Resource blade, select the radio button for Connect to an Azure resource in my directory. Under Resource type, select Microsoft.Storage/storageAccounts for the resource type. The Resource field is the storage account with the Azure file share you wish to connect to. Target sub-resource is file, since this is for Azure Files.

The Configuration blade allows you to select the specific virtual network and subnet you would like to add your private endpoint to. You must select a distinct subnet from the subnet you added your service endpoint to above. The Configuration blade also contains the information for creating/update the private DNS zone. We recommend using the default privatelink.file.core.windows.net zone.

A screenshot of the Configuration section

Click Review + create to create the private endpoint.

If you have a virtual machine inside of your virtual network, or you've configured DNS forwarding as described in Configuring DNS forwarding for Azure Files, you can test that your private endpoint has been set up correctly by running the following commands from PowerShell, the command line, or the terminal (works for Windows, Linux, or macOS). You must replace <storage-account-name> with the appropriate storage account name:

nslookup <storage-account-name>.file.core.windows.net

If everything has worked successfully, you should see the following output, where 192.168.0.5 is the private IP address of the private endpoint in your virtual network (output shown for Windows):

Server:  UnKnown
Address:  10.2.4.4

Non-authoritative answer:
Name:    storageaccount.privatelink.file.core.windows.net
Address:  192.168.0.5
Aliases:  storageaccount.file.core.windows.net

Create the storage sync private endpoint

Important

In order to use private endpoints on the Storage Sync Service resource, you must use Azure File Sync agent version 10.1 or greater. Agent versions prior to 10.1 do not support private endpoints on the Storage Sync Service. All prior agent versions support private endpoints on the storage account resource.

Navigate to the Private Link Center by typing Private Link into the search bar at the top of the Azure portal. In the table of contents for the Private Link Center, select Private endpoints, and then + Add to create a new private endpoint.

A screenshot of the private link center

The resulting wizard has multiple pages to complete.

In the Basics blade, select the desired resource group, name, and region for your private endpoint. These can be whatever you want, they don't have to match the Storage Sync Service in any way, although you must create the private endpoint in the same region as the virtual network you wish to create the private endpoint in.

A screenshot of the Basics section of the create private endpoint section

In the Resource blade, select the radio button for Connect to an Azure resource in my directory. Under the Resource type, select Microsoft.StorageSync/storageSyncServices for the resource type.

The Configuration blade allows you to select the specific virtual network and subnet you would like to add your private endpoint to. Select the same virtual network as the one you used for the storage account above. The Configuration blade also contains the information for creating/updating the private DNS zone.

Click Review + create to create the private endpoint.

You can test that your private endpoint has been setup correctly by running the following commands from PowerShell.

$privateEndpointResourceGroupName = "<your-private-endpoint-resource-group>"
$privateEndpointName = "<your-private-endpoint-name>"

Get-AzPrivateEndpoint `
        -ResourceGroupName $privateEndpointResourceGroupName `
        -Name $privateEndpointName `
        -ErrorAction Stop | `
    Select-Object -ExpandProperty NetworkInterfaces | `
    Select-Object -ExpandProperty Id | `
    ForEach-Object { Get-AzNetworkInterface -ResourceId $_ } | `
    Select-Object -ExpandProperty IpConfigurations | `
    Select-Object -ExpandProperty PrivateLinkConnectionProperties | `
    Select-Object -ExpandProperty Fqdns | `
    ForEach-Object { Resolve-DnsName -Name $_ } | `
    Format-List

If everything has worked correctly, you should see the following output where 192.168.1.4, 192.168.1.5, 192.168.1.6, and 192.168.1.7 are the private IP addresses assigned to the private endpoint:

Name     : mysssmanagement.westus2.afs.azure.net
Type     : CNAME
TTL      : 60
Section  : Answer
NameHost : mysssmanagement.westus2.privatelink.afs.azure.net


Name       : mysssmanagement.westus2.privatelink.afs.azure.net
QueryType  : A
TTL        : 60
Section    : Answer
IP4Address : 192.168.1.4

Name     : myssssyncp.westus2.afs.azure.net
Type     : CNAME
TTL      : 60
Section  : Answer
NameHost : myssssyncp.westus2.privatelink.afs.azure.net


Name       : myssssyncp.westus2.privatelink.afs.azure.net
QueryType  : A
TTL        : 60
Section    : Answer
IP4Address : 192.168.1.5

Name     : myssssyncs.westus2.afs.azure.net
Type     : CNAME
TTL      : 60
Section  : Answer
NameHost : myssssyncs.westus2.privatelink.afs.azure.net


Name       : myssssyncs.westus2.privatelink.afs.azure.net
QueryType  : A
TTL        : 60
Section    : Answer
IP4Address : 192.168.1.6

Name     : mysssmonitoring.westus2.afs.azure.net
Type     : CNAME
TTL      : 60
Section  : Answer
NameHost : mysssmonitoring.westus2.privatelink.afs.azure.net


Name       : mysssmonitoring.westus2.privatelink.afs.azure.net
QueryType  : A
TTL        : 60
Section    : Answer
IP4Address : 192.168.1.7

Restrict access to the public endpoints

You can restrict access to the public endpoints of both the storage account and the Storage Sync Services. Restrict access to the public endpoint provides additional security by ensuring that network packets are only accepted from approved locations.

Restrict access to the storage account public endpoint

Access restriction to the public endpoint is done using the storage account firewall settings. In general, most firewall policies for a storage account will restrict networking access to one or more virtual networks. There are two approaches to restricting access to a storage account to a virtual network:

  • Create one or more private endpoints for the storage account and disable access to the public endpoint. This ensures that only traffic originating from within the desired virtual networks can access the Azure file shares within the storage account.
  • Restrict the public endpoint to one or more virtual networks. This works by using a capability of the virtual network called service endpoints. When you restrict the traffic to a storage account via a service endpoint, you are still accessing the storage account via the public IP address.

Disable access to the storage account public endpoint

When access to the public endpoint is disabled, the storage account can still be accessed through its private endpoints. Otherwise valid requests to the storage account's public endpoint will be rejected.

Navigate to the storage account for which you would like to restrict all access to the public endpoint. In the table of contents for the storage account, select Firewalls and virtual networks.

At the top of the page, select the Selected networks radio button. This will un-hide a number of settings for controlling the restriction of the public endpoint. Check Allow trusted Microsoft services to access this service account to allow trusted first party Microsoft services such as Azure File Sync to access the storage account.

Screenshot of the Firewalls and virtual networks blade with the appropriate restricts in place

Restrict access to the storage account public endpoint to specific virtual networks

When you restrict the storage account to specific virtual networks, you are allowing requests to the public endpoint from within the specified virtual networks. This works by using a capability of the virtual network called service endpoints. This can be used with or without private endpoints.

Navigate to the storage account for which you would like to restrict the public endpoint to specific virtual networks. In the table of contents for the storage account, select Firewalls and virtual networks.

At the top of the page, select the Selected networks radio button. This will un-hide a number of settings for controlling the restriction of the public endpoint. Click +Add existing virtual network to select the specific virtual network that should be allowed to access the storage account via the public endpoint. This will require selecting a virtual network and a subnet for that virtual network.

Check Allow trusted Microsoft services to access this service account to allow trusted first party Microsoft services such as Azure File Sync to access the storage account.

Screenshot of the Firewalls and virtual networks blade with a specific virtual network allowed to access the storage account via the public endpoint

Disable access to the Storage Sync Service public endpoint

Azure File Sync enables you to restrict access to specific virtual networks through private endpoints only; Azure File Sync does not support service endpoints for restricting access to the public endpoint to specific virtual networks. This means that the two states for the Storage Sync Service's public endpoint are enabled and disabled.

This is not possible through the Azure portal. Please select the Azure PowerShell tab to get instructions on how to disable the Storage Sync Service public endpoint.