Azure File Sync proxy and firewall settings

Azure File Sync connects your on-premises servers to Azure Files, enabling multi-site synchronization and cloud tiering features. As such, an on-premises server must be connected to the internet. An IT admin needs to decide the best path for the server to reach into Azure cloud services.

This article provides insight into specific requirements and options available to successfully and securely connect your server to Azure File Sync.

We recommend reading Azure File Sync networking considerations prior to reading this how to guide.

Overview

Azure File Sync acts as an orchestration service between your Windows Server, your Azure file share, and several other Azure services to sync data as described in your sync group. For Azure File Sync to work correctly, you'll need to configure your servers to communicate with the following Azure services:

  • Azure Storage
  • Azure File Sync
  • Azure Resource Manager
  • Authentication services

Note

The Azure File Sync agent on Windows Server initiates all requests to cloud services which results in only having to consider outbound traffic from a firewall perspective. No Azure service initiates a connection to the Azure File Sync agent.

Ports

Azure File Sync moves file data and metadata exclusively over HTTPS and requires port 443 to be open outbound. As a result, all traffic is encrypted.

Networks and special connections to Azure

The Azure File Sync agent has no requirements regarding special channels like ExpressRoute, etc. to Azure.

Azure File Sync will work through any means available that allow reach into Azure, automatically adapting to network characteristics like bandwidth and latency, as well as offering admin control for fine-tuning.

Proxy

Azure File Sync supports app-specific and machine-wide proxy settings.

App-specific proxy settings allow configuration of a proxy specifically for Azure File Sync traffic. App-specific proxy settings are supported on agent version 4.0.1.0 or newer and can be configured during the agent installation or by using the Set-StorageSyncProxyConfiguration PowerShell cmdlet. Use the Get-StorageSyncProxyConfiguration cmdlet to return any proxy settings that are currently configured. A blank result indicates that there are no proxy settings configured. To remove the existing proxy configuration, use the Remove-StorageSyncProxyConfiguration cmdlet.

PowerShell commands to configure app-specific proxy settings:

Import-Module "C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll"
Set-StorageSyncProxyConfiguration -Address <url> -Port <port number> -ProxyCredential <credentials>

For example, if your proxy server requires authentication with a user name and password, run the following PowerShell commands:

# IP address or name of the proxy server.
$Address="http://127.0.0.1"

# The port to use for the connection to the proxy.
$Port=8080

# The user name for a proxy.
$UserName="user_name"

# Please type or paste a string with a password for the proxy.
$SecurePassword = Read-Host -AsSecureString

$Creds = New-Object System.Management.Automation.PSCredential ($UserName, $SecurePassword)

# Please verify that you have entered the password correctly.
Write-Host $Creds.GetNetworkCredential().Password

Import-Module "C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll"

Set-StorageSyncProxyConfiguration -Address $Address -Port $Port -ProxyCredential $Creds

Machine-wide proxy settings are transparent to the Azure File Sync agent as the entire traffic of the server is routed through the proxy.

To configure machine-wide proxy settings, follow the steps below:

  1. Configure proxy settings for .NET applications

    • Edit these two files:
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config

    • Add the <system.net> section in the machine.config files (below the <system.serviceModel> section). Change 127.0.01:8888 to the IP address and port for the proxy server.

      <system.net>
         <defaultProxy enabled="true" useDefaultCredentials="true">
           <proxy autoDetect="false" bypassonlocal="false" proxyaddress="http://127.0.0.1:8888" usesystemdefault="false" />
         </defaultProxy>
      </system.net>
      
  2. Set the WinHTTP proxy settings

    Note

    There are several methods (WPAD, PAC file, netsh, etc.) to configure a Windows Server to use a proxy server. The steps below cover how to configure the proxy settings using netsh but any method listed in the Configure proxy server settings in Windows documentation is supported.

    • Run the following command from an elevated command prompt or PowerShell to see the existing proxy setting:

      netsh winhttp show proxy

    • Run the following command from an elevated command prompt or PowerShell to set the proxy setting (change 127.0.01:8888 to the IP address and port for the proxy server):

      netsh winhttp set proxy 127.0.0.1:8888

  3. Restart the Storage Sync Agent service by running the following command from an elevated command prompt or PowerShell:

    net stop filesyncsvc

    Note: The Storage Sync Agent (filesyncsvc) service will auto-start once stopped.

Firewall

As mentioned in a previous section, port 443 needs to be open outbound. Based on policies in your datacenter, branch or region, further restricting traffic over this port to specific domains may be desired or required.

The following table describes the required domains for communication:

Service Public cloud endpoint Azure Government endpoint Usage
Azure Resource Manager https://management.azure.com https://management.usgovcloudapi.net Any user call (like PowerShell) goes to/through this URL, including the initial server registration call.
Microsoft Entra ID https://login.windows.net
https://login.microsoftonline.com
https://aadcdn.msftauth.net
https://login.microsoftonline.us Azure Resource Manager calls must be made by an authenticated user. To succeed, this URL is used for user authentication.
Microsoft Entra ID https://graph.microsoft.com/ https://graph.microsoft.com/ As part of deploying Azure File Sync, a service principal in the subscription's Microsoft Entra ID will be created. This URL is used for that. This principal is used for delegating a minimal set of rights to the Azure File Sync service. The user performing the initial setup of Azure File Sync must be an authenticated user with subscription owner privileges.
Microsoft Entra ID https://secure.aadcdn.microsoftonline-p.com https://secure.aadcdn.microsoftonline-p.com
(same as public cloud endpoint URL)
This URL is accessed by the Active Directory authentication library that the Azure File Sync server registration UI uses to log in the administrator.
Azure Storage *.core.windows.net *.core.usgovcloudapi.net When the server downloads a file, then the server performs that data movement more efficiently when talking directly to the Azure file share in the Storage Account. The server has a SAS key that only allows for targeted file share access.
Azure File Sync *.one.microsoft.com
*.afs.azure.net
*.afs.azure.us After initial server registration, the server receives a regional URL for the Azure File Sync service instance in that region. The server can use the URL to communicate directly and efficiently with the instance handling its sync.
Microsoft PKI https://www.microsoft.com/pki/mscorp/cps
http://crl.microsoft.com/pki/mscorp/crl/
http://mscrl.microsoft.com/pki/mscorp/crl/
http://ocsp.msocsp.com
http://ocsp.digicert.com/
http://crl3.digicert.com/
https://www.microsoft.com/pki/mscorp/cps
http://crl.microsoft.com/pki/mscorp/crl/
http://mscrl.microsoft.com/pki/mscorp/crl/
http://ocsp.msocsp.com
http://ocsp.digicert.com/
http://crl3.digicert.com/
Once the Azure File Sync agent is installed, the PKI URL is used to download intermediate certificates required to communicate with the Azure File Sync service and Azure file share. The OCSP URL is used to check the status of a certificate.
Microsoft Update *.update.microsoft.com
*.download.windowsupdate.com
*.ctldl.windowsupdate.com
*.dl.delivery.mp.microsoft.com
*.emdl.ws.microsoft.com
*.update.microsoft.com
*.download.windowsupdate.com
*.ctldl.windowsupdate.com
*.dl.delivery.mp.microsoft.com
*.emdl.ws.microsoft.com
Once the Azure File Sync agent is installed, the Microsoft Update URLs are used to download Azure File Sync agent updates.

Important

When allowing traffic to *.afs.azure.net, traffic is only possible to the sync service. There are no other Microsoft services using this domain. When allowing traffic to *.one.microsoft.com, traffic to more than just the sync service is possible from the server. There are many more Microsoft services available under subdomains.

If *.afs.azure.net or *.one.microsoft.com is too broad, you can limit the server's communication by allowing communication to only explicit regional instances of the Azure File Sync service. Which instance(s) to choose depends on the region of the storage sync service you have deployed and registered the server to. That region is called "Primary endpoint URL" in the table below.

For business continuity and disaster recovery (BCDR) reasons you may have created your Azure file shares in a storage account that is configured for geo-redundant storage (GRS). If that is the case, your Azure file shares will fail over to the paired region in the event of a lasting regional outage. Azure File Sync uses the same regional pairings as storage. So if you use GRS storage accounts, you need to enable additional URLs to allow your server to talk to the paired region for Azure File Sync. The table below calls this "Paired region". Additionally, there is a traffic manager profile URL that needs to be enabled as well. This will ensure network traffic can be seamlessly re-routed to the paired region in the event of a failover and is called "Discovery URL" in the table below.

Cloud Region Primary endpoint URL Paired region Discovery URL
Public Australia East https://australiaeast01.afs.azure.net
https://kailani-aue.one.microsoft.com
Australia Southeast https://tm-australiaeast01.afs.azure.net
https://tm-kailani-aue.one.microsoft.com
Public Australia Southeast https://australiasoutheast01.afs.azure.net
https://kailani-aus.one.microsoft.com
Australia East https://tm-australiasoutheast01.afs.azure.net
https://tm-kailani-aus.one.microsoft.com
Public Brazil South https://brazilsouth01.afs.azure.net South Central US https://tm-brazilsouth01.afs.azure.net
Public Canada Central https://canadacentral01.afs.azure.net
https://kailani-cac.one.microsoft.com
Canada East https://tm-canadacentral01.afs.azure.net
https://tm-kailani-cac.one.microsoft.com
Public Canada East https://canadaeast01.afs.azure.net
https://kailani-cae.one.microsoft.com
Canada Central https://tm-canadaeast01.afs.azure.net
https://tm-kailani.cae.one.microsoft.com
Public Central India https://centralindia01.afs.azure.net
https://kailani-cin.one.microsoft.com
South India https://tm-centralindia01.afs.azure.net
https://tm-kailani-cin.one.microsoft.com
Public Central US https://centralus01.afs.azure.net
https://kailani-cus.one.microsoft.com
East US 2 https://tm-centralus01.afs.azure.net
https://tm-kailani-cus.one.microsoft.com
Microsoft Azure operated by 21Vianet China East 2 https://chinaeast201.afs.azure.cn China North 2 https://tm-chinaeast201.afs.azure.cn
Microsoft Azure operated by 21Vianet China North 2 https://chinanorth201.afs.azure.cn China East 2 https://tm-chinanorth201.afs.azure.cn
Public East Asia https://eastasia01.afs.azure.net
https://kailani11.one.microsoft.com
Southeast Asia https://tm-eastasia01.afs.azure.net
https://tm-kailani11.one.microsoft.com
Public East US https://eastus01.afs.azure.net
https://kailani1.one.microsoft.com
West US https://tm-eastus01.afs.azure.net
https://tm-kailani1.one.microsoft.com
Public East US 2 https://eastus201.afs.azure.net
https://kailani-ess.one.microsoft.com
Central US https://tm-eastus201.afs.azure.net
https://tm-kailani-ess.one.microsoft.com
Public Germany North https://germanynorth01.afs.azure.net Germany West Central https://tm-germanywestcentral01.afs.azure.net
Public Germany West Central https://germanywestcentral01.afs.azure.net Germany North https://tm-germanynorth01.afs.azure.net
Public Japan East https://japaneast01.afs.azure.net Japan West https://tm-japaneast01.afs.azure.net
Public Japan West https://japanwest01.afs.azure.net Japan East https://tm-japanwest01.afs.azure.net
Public Korea Central https://koreacentral01.afs.azure.net/ Korea South https://tm-koreacentral01.afs.azure.net/
Public Korea South https://koreasouth01.afs.azure.net/ Korea Central https://tm-koreasouth01.afs.azure.net/
Public North Central US https://northcentralus01.afs.azure.net South Central US https://tm-northcentralus01.afs.azure.net
Public North Europe https://northeurope01.afs.azure.net
https://kailani7.one.microsoft.com
West Europe https://tm-northeurope01.afs.azure.net
https://tm-kailani7.one.microsoft.com
Public South Central US https://southcentralus01.afs.azure.net North Central US https://tm-southcentralus01.afs.azure.net
Public South India https://southindia01.afs.azure.net
https://kailani-sin.one.microsoft.com
Central India https://tm-southindia01.afs.azure.net
https://tm-kailani-sin.one.microsoft.com
Public Southeast Asia https://southeastasia01.afs.azure.net
https://kailani10.one.microsoft.com
East Asia https://tm-southeastasia01.afs.azure.net
https://tm-kailani10.one.microsoft.com
Public Switzerland North https://switzerlandnorth01.afs.azure.net
https://tm-switzerlandnorth01.afs.azure.net
Switzerland West https://switzerlandwest01.afs.azure.net
https://tm-switzerlandwest01.afs.azure.net
Public Switzerland West https://switzerlandwest01.afs.azure.net
https://tm-switzerlandwest01.afs.azure.net
Switzerland North https://switzerlandnorth01.afs.azure.net
https://tm-switzerlandnorth01.afs.azure.net
Public UAE Central https://uaecentral01.afs.azure.net UAE North https://tm-uaecentral01.afs.azure.net
Public UAE North https://uaenorth01.afs.azure.net UAE Central https://tm-uaenorth01.afs.azure.net
Public UK South https://uksouth01.afs.azure.net
https://kailani-uks.one.microsoft.com
UK West https://tm-uksouth01.afs.azure.net
https://tm-kailani-uks.one.microsoft.com
Public UK West https://ukwest01.afs.azure.net
https://kailani-ukw.one.microsoft.com
UK South https://tm-ukwest01.afs.azure.net
https://tm-kailani-ukw.one.microsoft.com
Public West Central US https://westcentralus01.afs.azure.net West US 2 https://tm-westcentralus01.afs.azure.net
Public West Europe https://westeurope01.afs.azure.net
https://kailani6.one.microsoft.com
North Europe https://tm-westeurope01.afs.azure.net
https://tm-kailani6.one.microsoft.com
Public West US https://westus01.afs.azure.net
https://kailani.one.microsoft.com
East US https://tm-westus01.afs.azure.net
https://tm-kailani.one.microsoft.com
Public West US 2 https://westus201.afs.azure.net West Central US https://tm-westus201.afs.azure.net
Government US Gov Arizona https://usgovarizona01.afs.azure.us US Gov Texas https://tm-usgovarizona01.afs.azure.us
Government US Gov Texas https://usgovtexas01.afs.azure.us US Gov Arizona https://tm-usgovtexas01.afs.azure.us
  • If you use a storage account configured for locally redundant storage (LRS) or zone redundant storage (ZRS), you only need to enable the URL listed under "Primary endpoint URL".

  • If you use a storage account configured for GRS, enable three URLs.

Example: You deploy a storage sync service in "West US" and register your server with it. The URLs to allow the server to communicate to for this case are:

  • https://westus01.afs.azure.net (primary endpoint: West US)
  • https://eastus01.afs.azure.net (paired failover region: East US)
  • https://tm-westus01.afs.azure.net (discovery URL of the primary region)

Allow list for Azure File Sync IP addresses

Azure File Sync supports the use of service tags, which represent a group of IP address prefixes for a given Azure service. You can use service tags to create firewall rules that enable communication with the Azure File Sync service. The service tag for Azure File Sync is StorageSyncService.

If you're using Azure File Sync within Azure, you can use name of service tag directly in your network security group to allow traffic. To learn more about how to do this, see Network security groups.

If you're using Azure File Sync on-premises, you can use the service tag API to get specific IP address ranges for your firewall's allow list. There are two methods for getting this information:

Because the service tag discovery API might not be updated as frequently as the JSON documents published to the Microsoft Download Center, we recommend using the JSON document to update your on-premises firewall's allow list. This can be done as follows:

# The specific region to get the IP address ranges for. Replace westus2 with the desired region code 
# from Get-AzLocation.
$region = "westus2"

# The service tag for Azure File Sync. Don't change unless you're adapting this
# script for another service.
$serviceTag = "StorageSyncService"

# Download date is the string matching the JSON document on the Download Center. 
$possibleDownloadDates = 0..7 | `
    ForEach-Object { [System.DateTime]::Now.AddDays($_ * -1).ToString("yyyyMMdd") }

# Verify the provided region
$validRegions = Get-AzLocation | `
    Where-Object { $_.Providers -contains "Microsoft.StorageSync" } | `
    Select-Object -ExpandProperty Location

if ($validRegions -notcontains $region) {
    Write-Error `
            -Message "The specified region $region isn't available. Either Azure File Sync isn't deployed there or the region doesn't exist." `
            -ErrorAction Stop
}

# Get the Azure cloud. This should automatically based on the context of 
# your Az PowerShell login, however if you manually need to populate, you can find
# the correct values using Get-AzEnvironment.
$azureCloud = Get-AzContext | `
    Select-Object -ExpandProperty Environment | `
    Select-Object -ExpandProperty Name

# Build the download URI
$downloadUris = @()
switch($azureCloud) {
    "AzureCloud" { 
        $downloadUris = $possibleDownloadDates | ForEach-Object {  
            "https://download.microsoft.com/download/7/1/D/71D86715-5596-4529-9B13-DA13A5DE5B63/ServiceTags_Public_$_.json"
        }
    }

    "AzureUSGovernment" {
        $downloadUris = $possibleDownloadDates | ForEach-Object { 
            "https://download.microsoft.com/download/6/4/D/64DB03BF-895B-4173-A8B1-BA4AD5D4DF22/ServiceTags_AzureGovernment_$_.json"
        }
    }

    "AzureChinaCloud" {
        $downloadUris = $possibleDownloadDates | ForEach-Object { 
            "https://download.microsoft.com/download/9/D/0/9D03B7E2-4B80-4BF3-9B91-DA8C7D3EE9F9/ServiceTags_China_$_.json"
        }
    }

    "AzureGermanCloud" {
        $downloadUris = $possibleDownloadDates | ForEach-Object { 
            "https://download.microsoft.com/download/0/7/6/076274AB-4B0B-4246-A422-4BAF1E03F974/ServiceTags_AzureGermany_$_.json"
        }
    }

    default {
        Write-Error -Message "Unrecognized Azure Cloud: $_" -ErrorAction Stop
    }
}

# Find most recent file
$found = $false 
foreach($downloadUri in $downloadUris) {
    try { $response = Invoke-WebRequest -Uri $downloadUri -UseBasicParsing } catch { }
    if ($response.StatusCode -eq 200) {
        $found = $true
        break
    }
}

if ($found) {
    # Get the raw JSON 
    $content = [System.Text.Encoding]::UTF8.GetString($response.Content)

    # Parse the JSON
    $serviceTags = ConvertFrom-Json -InputObject $content -Depth 100

    # Get the specific $ipAddressRanges
    $ipAddressRanges = $serviceTags | `
        Select-Object -ExpandProperty values | `
        Where-Object { $_.id -eq "$serviceTag.$region" } | `
        Select-Object -ExpandProperty properties | `
        Select-Object -ExpandProperty addressPrefixes
} else {
    # If the file cannot be found, that means there hasn't been an update in
    # more than a week. Please verify the download URIs are still accurate
    # by checking https://learn.microsoft.com/azure/virtual-network/service-tags-overview
    Write-Verbose -Message "JSON service tag file not found."
    return
}

You can then use the IP address ranges in $ipAddressRanges to update your firewall. Check your firewall/network appliance's website for information on how to update your firewall.

Test network connectivity to service endpoints

Once a server is registered with the Azure File Sync service, the Test-StorageSyncNetworkConnectivity cmdlet and ServerRegistration.exe can be used to test communications with all endpoints (URLs) specific to this server. This cmdlet can help troubleshoot when incomplete communication prevents the server from fully working with Azure File Sync and it can be used to fine-tune proxy and firewall configurations.

To run the network connectivity test, run the following PowerShell commands:

Import-Module "C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll"
Test-StorageSyncNetworkConnectivity

If the test fails, collect WinHTTP debug traces to troubleshoot: netsh trace start scenario=InternetClient_dbg capture=yes overwrite=yes maxsize=1024

Run the network connectivity test again, and then stop collecting traces: netsh trace stop

Put the generated NetTrace.etl file into a ZIP archive, open a support case, and share the file with support.

Summary and risk limitation

The lists earlier in this document contain the URLs Azure File Sync currently communicates with. Firewalls must be able to allow traffic outbound to these domains. Microsoft strives to keep this list updated.

Setting up domain restricting firewall rules can be a measure to improve security. If these firewall configurations are used, keep in mind that URLs will be added and might even change over time. Check this article periodically.

Next steps