Setup Azure Storage Account SFTP

Microsoft have recently released the ability to enable SFTP on Azure Storage Accounts to securely connect for file transfer and management. Before now you’d have to setup your own SFTP server, typically on an Azure VM to achieve this functionality.

At the time of writing this post this feature is in preview and only available in the following regions:

North Central US
East US 2
East US 2 EUAP (need to join EUAP program – contact CSA or CSAM)
Central US EUAP (need to join EUAP program – contact CSA or CSAM)
Canada East
Canada Central
North Europe
Australia East
Switzerland North
Germany West Central
East Asia
France Central

What is SFTP?

SSH File Transfer Protocol (SFTP) was designed as an extension of SSH v2 to provide secure file transfer between client and server.

Legacy workloads may have the requirement to use SFTP rather than AzCopy, REST API or Azure SDK so this feature will no doubt be useful for many organisations.

Prerequisites for Azure SFTP

In order to use SFTP we must first register it for the subscription that we want our Storage Account to reside in.

Using Azure CLI, first move to the context of the Azure subscription:

az account set --subscription "xxxx-xxxx-xxxx-xxxx"

To check if SFTP is already registered we can use:

az feature show --namespace Microsoft.Storage --name AllowSFTP

As you can see, it wasn’t enabled on my subscription:

To enable it, we run the below:

az feature register --namespace Microsoft.Storage --name AllowSFTP
az provider register -n Microsoft.Storage

Pricing Azure SFTP

As this is still a preview feature there is no cost for the service itself. You are still charged for the Azure Data Lake Store Gen2 storage. Using the Azure Pricing Calculator, you can estimate your monthly cost by ensuring the underlined options are selected. SFTP requires that blobs are organised as hierarchical namespaces, so we need to choose that option.

Azure SFTP Setup

First we need to create the Storage Account.

I’m going to create it in North Europe as it’s the closest region to me that currently supports SFTP.

I’ve given the storage account and name and selected the Standard Performance tier – Premium is currently not supported for SFTP.

On the Advanced tab, you must select “Enable hierarchical namespace”, then you can enable SFTP too.

Click Review + create, and then Create to create the storage account.

Once the storage account has been created (it should only take a few moments), click “Go to resource”.

First we need to create a Container to hold our data. I’m going to call it “sftpfolder” and leave the public access level as “Private”.

We can see it created successfully in the containers page.

Under settings you should be able to see an SFTP option. Going into that option you can see that you have the ability to create local users. We’ll need to do this to be able to authenticate to our SFTP service.

Click “Add local user”, then choose a username and select an authentication method. In my case I’m going to use SSH password.

You can select both SSH password and SSH Public key so that the user has the option when making a connection. Selecting SSH Public Key, you have the ability to generate a new key pair, use an existing key stored in Azure or use an existing public key. Then click Next.

We then choose the container we created earlier, so I’ll select sftpfolder. We can also choose the permissions that we want our user to have. I have the option of choosing Read, Write, List, Delete and Create. For the purposes of this blog I’ve selected all permissions.

I can also select a Home directory for the user if I want to, in my case I’ll leave that blank. I then click Add.

We’re then provided with a long password string for our user account. Note that you cannot change this to one that you want, only regenerate another long string password. I’ve copied mine to clipboard and made a note of it.

Now that our SFTP storage account is created and we have a user, I’m going to open Powershell to test it out.

First we type in “sftp storageaccountname.containername.username@storageaccountURL”. For example:

sftp tcsftptest.sftpfolder.todd@tcsftptest.blob.core.windows.net

I’ll then be asked to confirm that I’m happy to connect to this host as the authenticity can’t be established. This is fine, we know we’re connecting to a legitimate host, so I type yes. I then paste in the long password string that I copied earlier and that’s it I’m connected.

As I test, I can copy a test file I created called t.txt from C:\temp on my local machine using

put C:\temp\t.txt

Typing “ls” I can see the file is now in the root directory.

I can also see the file within the container in the Azure portal.