Azure App Service Connection to On-Premises NAS

Here are a few options to consider:

1. Leverage Azure Hybrid Connections (for SMB alternatives)

If SMB ports are blocked for Azure App Service, an alternative approach is to use Azure Hybrid Connections. Hybrid Connections are designed to securely allow Azure App Service to access on-premises resources without opening inbound ports directly to the App Service.

Here’s how this could work:

• Hybrid Connections provide a secure, outbound connection from the App Service to on-premises resources like a NAS device.
• It uses HTTPS (on port 443), which is typically open and avoids the need to open the SMB ports.
• You can configure Azure Hybrid Connection to link an App Service with a specific on-premises server that has access to your NAS.
• The server that connects to the NAS does not need to be a VM in Azure, and you avoid the Azure File Sync agent running directly on the App Service.

2. Use Azure File Sync with a Centralized File Server

Instead of deploying multiple Azure File Sync agents across different servers, you could centralize the synchronization process to a single server or a minimal number of servers that have access to the NAS.

Here’s the approach:

• Install the Azure File Sync agent on a single on-premises server or gateway server that has access to your NAS. This server will be responsible for syncing your NAS file data to an Azure File Share.
• Azure File Share can then be accessed by the Azure App Service through mounting the Azure file share using SMB or REST APIs.
• You can scale down the number of servers (even to one) involved in this sync process, which avoids deploying multiple VMs for sync purposes.

3. Azure Storage with SMB (via Private Endpoint)

If your on-premises NAS can be synchronized with Azure File Share but you're trying to access it without SMB restrictions, you might want to consider using a Private Endpoint for Azure Files. This could be useful in situations where direct internet access isn't ideal, and you'd prefer to avoid the security overhead of opening ports.

Here’s the flow:

• Sync on-prem NAS to Azure File Share using the Azure File Sync agent on a single gateway server.
• Once the Azure File Share is populated with the necessary files, create an Azure Private Endpoint for the Azure File Share.
• Azure App Service can then access the Azure File Share securely using the private IP address (over the Azure Virtual Network (VNet)), which provides a secure connection to the file share without routing traffic over the public internet.

4. SMB over VPN/ExpressRoute (if needed)

If you cannot use Azure File Sync or Hybrid Connections, and you need to access your NAS directly over SMB (but SMB ports are blocked for Azure App Service), another potential option is to use VPN or ExpressRoute to provide connectivity between your Azure environment and your on-premises network.

• VPN Gateway or ExpressRoute establishes a secure, private tunnel between your on-premises network and your Azure Virtual Network.
• From your App Service, you can connect to VMs in the VNet that have access to the NAS, or you can configure SMB directly between the on-premises NAS and Azure File Share over this private connection.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin