Pages

Sunday, March 7, 2021

Configuring and accessing Microsoft Azure Files

One of the common questions I am asked by colleagues and clients is how and why they would use Azure Files. The answer to the “how” and “why” are in abundance and I usually provide examples based on the environment I am working in. Some features may be more important for others but a few examples I have off the top of my head are:

  • Lift and shift initiatives for applications installed on Windows Servers can have the data transitioned into the cloud with Azure Files (you can easily move all of the data stored on, say, and E drive of a Windows server into Azure Files then mount that drive back on the server as an E drive without changing code)
  • Container instances, which requires a drive for persistent storage, can leverage Azure Files to provide a drive that can be mounted in Linux
  • Traditional file servers hosted on Windows Servers can be migrated into Azure Files for serverless hosting
  • Azure File Sync can be used to synchronize files stored in Azure Files to an on-premise file server for fast local access

The following Microsoft document provides more information about Azure files:

What is Azure Files?
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction

With a brief overview of Azure Files and its benefits out of the way, the following is a demonstration of how to set up Azure Files, access the share, snapshot, and lockdown access with a service endpoint. Azure Files can also be configured with Share and NTFS permissions similar to a traditional shared folder on a Windows Server but the process of the configuration is too long to include into this post so I will write a separate one in the future.

Setting up Azure Files

Begin by creating a new storage account that will contain the Azure Files:

image

Basic Tab

Fill in the required configuration parameters for the storage account based on the requirements. Note that the Storage account name will need to be unique across all of Azure’s storage accounts because the name will be used as part of the URL for access. The name needs to be:

  • Between 3 to 24 characters long
  • Contain only lowercase characters and numbers (no special characters such as “-“)
image

Networking Tab

We will be locking down the connectivity method to private endpoints later so leave the Connectivity method as Public endpoint (all networks) for now and Routing preference as the default Microsoft networking routing (default):

image

Data protection tab

The data protection options are displayed and the one that is related to Azure Files is the Turn on soft delete for file shares:

image

The setting that pertains to Azure Files in the advanced tag is Large file shares support, which provides file share support up to a maximum of 100 TiB but does not support geo-redundant storage:

image

image

Proceed to create the storage account by clicking Review + create button then Create.

With the storage account successfully created, open the new storage account and navigate to the File shares menu option:

image

Click on the + File share button to create a new file share:

image

Configure the new file share with the settings required.

I won’t go into the details of the Tiers but will provide this reference link for more information: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-planning?WT.mc_id=Portal-Microsoft_Azure_FileStorage#storage-tiers

image

Complete creating the file share by clicking on the Create button.

With the test File share created, click to open it:

image

You can directly upload files into the file share, modify the tier, configure various operations and retrieve information pertaining to the file share.

image

You may notice that clicking into the Access Control (IAM) menu option will display the following:

Identity-based authentication (Active Directory) for Azure file shares

To give individual accounts access to the file share (Kerberos), enable identity-based authentication for the storage account. Learn more

image

This is where you would configure the Share permissions for Active Directory account access, which I will cover in a future blog post.

Clicking into the properties of the file share will display the https URL to access the share.

image

Note that you won’t be able to browse into the folder as how you would be able to for blog storage with anonymous access. Attempting to do so will display the following:

<Error>
<Code>InvalidHeaderValue</Code>
<Message>The value for one of the HTTP headers is not in the correct format. RequestId:ee3cfc97-601a-0077-765e-1342f2000000 Time:2021-03-07T14:33:25.6179879Z</Message>
<HeaderName>x-ms-version</HeaderName>
<HeaderValue/>
</Error>

image

The rest of the configuration settings are fairly self-explanatory where backups is to configure backups for the Azure File and Snapshots is a feature I will demonstrate later in this post.

Administratively Accessing Azure Files for Upload and Download and other Folder Operations

The Azure portal allows you to upload and download files but is not very efficient. A better way of administratively accessing the share would be to use Azure Storage Explorer, which is an application that is installed onto a desktop or server. Proceed to download and install the application: https://azure.microsoft.com/en-ca/features/storage-explorer/

Launch the application and click on the power plug icon on the left to connect to a variety of Azure services:

image

Note the following selection of Azure resources we can connect to:

  • Subscription
  • Storage account
  • Blog container
  • ADLS Gen2 container or directory
  • File share
  • Queue
  • Table
  • Local storage emulator
image

As we are configuring Azure Files, the 3 options we are interested in connecting to are:

  • Subscription
  • Storage account
  • File share

I will demonstrate connecting to the 3 of them.

Subscription

Connecting with the Subscription option simply requires credentials to the Azure tenant and essentially provides access to all of the storage resources in the subscription:

image

image

Storage account

Connecting to the Storage Account provides to options:

  • Account name and key
  • Shared access signature (SAS)
image

To use the Account name and key, navigate to the storage account in the Azure portal and into Access keys. The information we need is the Storage account name and key1 or key2:

image

Paste the information in the Azure Storage Explorer:

image

Proceed to connect:

image

The connection should succeed and you will see the storage account listed in the Storage Accounts node:

image

To use the Shared access signature (SAS), navigate to the storage account in the Azure portal and into Access keys. The information we need is the Storage account name and Connection string:

image

Paste the information in the Azure Storage Explorer:

image

Proceed to connect:

image

The connection should succeed and you will see the storage account listed in the Storage Accounts node:

image

File share

Connecting with the File share option requires a SAS (Shared Access Signature) to be created. You unfortunately can’t create it directly from the storage account portal as it will not be Azure File specific:

image

An alternative way of creating it is to use Azure Storage Explorer with an already established connection to the storage account, right click on the File Share, then select Get Shared Access Sigantuare…:

image

A Shared Access Signature window will be displayed with options to configure the permissions for this access:

image

Selecting Create after the parameters are set will generate the following three strings:

Share: Test

URI: https://steastusserviceendpoint.file.core.windows.net/test?st=2021-03-07T15%3A04%3A29Z&se=2021-03-08T15%3A04%3A29Z&sp=rl&sv=2018-03-28&sr=s&sig=X5lu4wbZGuOggVERMHuasvDVHPayoxFj9muJ9L%2FWsPM%3E

Query string: ?st=2021-03-07T15%3A02%3A29Z&se=2021-03-08E15%3A04%3A29Z&sp=rl&sv=2018-03-28&sr=s&sig=X5lu4mbEGuOugVJRMHutsvDVHPayoxFj9muJ9L%2FWsPM%3D

image

Use the strings to connect to Azure Files in the Azure Storage Explorer:

imageimage

image

Once connected to the Azure File Shares with Azure Storage Explorer, you’ll be able to create new folders, upload/download files and perform other folder related operations.

image

Access policies on the share can also be configured:

image

image

Accessing Azure Files by mounting the folder as a drive in Windows, Linux or Mac OS

With the Azure Files file share setup, access to it can be provided to Windows, Linux or Mac OS by clicking on the Connect button to bring up the commands to mount the drive:

image

Linux and Macs:

imageimage

The following demonstrates what using the PowerShell to mount the drive in Windows looks like:

image

**Note that just as all Windows map drives are, SMB over port 445 is used for communication and this port is usually blocked by ISPs so it is not likely to work if you run this on a remote computer coming in from the internet with no VPN into Azure.

The PowerShell cmdlet used to map the drive performs the following:

  • Test the connection to the storage account via port 445
  • Assuming connection succeeds, it will save the password to the storage account
  • Map the drive as the letter defined in the Azure portal and set it to be persistent

If this drive ever needs to get removed then use the Remove-PSDrive to remove it.

image

The drive should now be mapped as Z:

image

Another way to map the drive without using a PowerShell script is to simply use the drive mapping feature directly from Windows Explorer. Before attempting to map the drive, you’ll need to retrieve the path and the credentials for connecting to the drive. Begin by using the Azure portal and navigate into Properties of the File share, then copy the URL without the https:// as shown in the screenshot below:

steastusserviceendpoint.file.core.windows.net/test

image

Navigate to the Access keys of the storage account and copy key1 or key2 as it will be used as the password:

image

Proceed to use the Windows desktop or server to map a network drive and use the following parameters:

Folder: \\steastusserviceendpoint.file.core.windows.net\test < note that I changed the “/” for test to “\” and added “\\” to the beginning.

Use the following for authentication:

Username: Azure\<storageAccountName>

Password: Key1 or Key2

image

image

image

Azure Files Snapshots

Snapshots for the File Share is also available but note that it behaves more like a Volume Shadow Copies (VSS) on a Windows Server that allows the use of the Previous Versions tab than, say, a SAN or VM snapshot. You can create snapshot by navigating into the File share, select the Snapshots operation, and then click on Add snapshot:

image

Provide a comment for the snapshot then click OK:

image

A snapshot will be created:

image

Now if you proceed to edit the Test.txt file in the Azure File share, a previous version will be made available:

image

Lock down Azure Files access with to service endpoint

You may want to tighten the access security depending on the sensitivity of the data stored in the Azure Files file share and one of the ways to achieve this is to use an Azure Service Endpoint and Private Endpoint. I won’t go into depth for either of them as I want to write a separate blog post for it so what I’ll do is provide a brief overview of how we can secure access with a service endpoint.

Begin by navigating to the Networking configuration for the storage account and change Allow access from the configuration All networks to Selected networks:

image

There are multiple options for limiting access for this storage account but for the purpose of this example, I will be placing in 1 subnet from a production VNet in the environment:

image

With the above configuration set, only subnets in the defined VNet will be able to access the storage account and the Azure Files.

2 comments:

Hailey said...

Azure Files are served by Server Message Block. I was looking for the expert level configuring and I found it here.

Vibin said...

Hello Team, your content about "Configuring and accessing Microsoft Azure Files" In this Blog has clearly explained the Key benefits and Setting up Azure Files; that was great and easy to understand, and also it was helpful to me. Kudos for your efforts!!!