NFS file shares don't support an encryption mechanism, so in order to use the NFS protocol to access an Azure file share, you must disable require secure transfer for the storage account. Disabling the require secure transfer setting enables SMB 2.1 and SMB 3.x mounts without encryption. You can toggle which SMB encryption algorithms are allowed via the SMB security settings. When require secure transfer is enabled on a storage account, all SMB file shares in that storage account will require the SMB 3.x protocol with AES-128-CCM, AES-128-GCM, or AES-256-GCM encryption algorithms, depending on the available/required encryption negotiation between the SMB client and Azure Files. The SMB, NFS, and FileREST protocols have slightly different behavior with respect to the require secure transfer setting: In the Azure portal, you may also see this setting labeled as require secure transfer for REST API operations. You can disable the require secure transfer setting to allow unencrypted traffic. For Azure Files, the require secure transfer setting is enforced for all protocol access to the data stored on Azure file shares, including SMB, NFS, and FileREST. Premium file shares (FileStorage), LRS/ZRSīy default, Azure storage accounts require secure transfer, regardless of whether data is accessed over the public or private endpoint. The sections below provide links and additional context to the documentation referenced in the video. This video is a guide and demo for how to securely expose Azure file shares directly to information workers and apps in five simple steps. A storage account is a management construct that represents a shared pool of storage in which you can deploy multiple Azure file shares, as well as the storage resources for other Azure storage services, such as blob containers or queues. Using an NFS file share always requires some level of networking configuration.Ĭonfiguring public and private endpoints for Azure Files is done on the top-level management object for Azure Files, the Azure storage account. NFS file shares rely on network-level authentication and are therefore only accessible via restricted networks. Therefore, mounting an SMB file share often requires additional networking configuration to use outside of Azure. Although SMB 3.x is an internet-safe protocol, organizational or ISP policies may not be possible to change. This practice originates from legacy security guidance about deprecated and non-internet safe versions of the SMB protocol. SMB file shares communicate over port 445, which many organizations and internet service providers (ISPs) block for outbound (internet) traffic. We recommend reading Planning for an Azure Files deployment prior to reading this conceptual guide.ĭirectly accessing the Azure file share often requires additional thought with respect to networking: To learn how to cache your Azure file share on-premises with Azure File Sync, see Introduction to Azure File Sync. This article focuses on how to configure Azure Files for direct access over public and/or private endpoints. You can access your Azure file shares over the public internet accessible endpoint, over one or more private endpoints on your network(s), or by caching your Azure file share on-premises with Azure File Sync (SMB file shares only).
0 Comments
Leave a Reply. |