Azure Blob SFTP Custom Domain

Nick Vigors 1 Reputation point
2022-03-04T09:45:16.113+00:00

Hi All,

I am testing the 'new' SFTP support for Azure Blob Storage. First, I think this is a great addition!

I am now trying to use it with a custom domain. For example, rather than my connection string being:

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,854 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Matt Spradley 26 Reputation points
    2022-03-11T18:52:39.033+00:00

    I am wanting to do the same thing.

    One issue is you have to have a valid SSL cert with the custom domain to support the SFTP protocol. Storage accounts don't support adding certs directly right now and only offer SSL protection for the native domain.

    From what I've gathered, the only way to add a cert to a storage account is using a CDN endpoint as described here. I did that and was able to get https working for accessing files over ssl. However, I couldn't get SFTP to work. I think this is due to the port used (22) and maybe the CDN doesn't support SFTP regardless. I did change the https port on the CDN to 22 and it did not help.

    @Microsoft, are there any plans to add custom domain support directly to storage accounts and fix the SFTP for custom domain issue or some other way to add custom domains to the new SFTP server?

    2 people found this answer helpful.
    0 comments
  2. Michel Lapointe 11 Reputation points
    2022-05-31T20:41:46.957+00:00

    For future reader of this thread: This feature currently work as expected with very minimal config (at least for me).

    Just add a custom CNAME to the Storage Account Hostname and use it within your SFTP connection string.

    accountname.username@<custom DNS Name>

    note that this format assume a Home directory has been specified (refer to MS Doc)

    Some additional notes

    • This is not an HTTPS connection so you don't need to bother with supporting custom CERT on the Azure Storage (this is irrelevant for SFTP).
    • I found that the Custom Domain configuration within the Storage Account do not seams to be mandatory. A DNS CNAME was sufficient.
    • If you want to add a custom DNS Name, you would be required to do it programmatically as the Portal GUI won't show the option when SFTP is used.
    • Also, make sure to use a DNS domain name that can be verified.

    Particular scenarios

    • Private Endpoint - If you are using private endpoint to reach the Storage Account, ensure port 22 is open on your network (within NSGs, Firewalls, NVA,...)
    • Frontdoor - This is not an option you can use for SFTP traffic

    Troubleshooting

    • Per Microsoft documentation, make sure your DNS Provider does not proxy requests as this may cause network connection timeout (this may be a candidate to explain Nick issue above).
    2 people found this answer helpful.
  3. Manu Philip 17,111 Reputation points MVP
    2022-03-04T11:20:19.963+00:00

    I think, the CNAME created to be checked. Reference: https://video2.skills-academy.com/en-us/azure/cloud-services/cloud-services-custom-domain-name-portal#add-a-cname-record-for-your-custom-domain

    You must also provide the domain or subdomain alias for the CNAME, such as www if you want to create an alias for www.customdomain.com. If you want to create an alias for the root domain, it may be listed as the '@' symbol in your registrar's DNS tools.
    Then, you must provide a canonical host name, which is your application's cloudapp.net domain in this case.

    For example, the following CNAME record forwards all traffic from www.contoso.com to contoso.cloudapp.net, the custom domain name of your deployed application:
    Alias/Host name/Subdomain Canonical domain
    www contoso.cloudapp.net

    ----------

    --please don't forget to upvote and Accept as answer if the reply is helpful--