This architecture demonstrates a way to provide file shares in the cloud to on-premises users and applications that also access files on Windows Server through a private endpoint.
Architecture
Download a Visio file of this architecture.
Workflow
This solution synchronizes the on-premises AD DS and the cloud-based Microsoft Entra ID. Synchronizing makes users more productive by providing a common identity for accessing both cloud and on-premises resources.
Microsoft Entra Connect is the on-premises Microsoft application that does the synchronizing. For more information about Microsoft Entra Connect, see What is Microsoft Entra Connect? and Microsoft Entra Connect Sync: Understand and customize synchronization.
Azure Virtual Network provides a virtual network in the cloud. For this solution, it has at least two subnets, one for Azure DNS, and one for a private endpoint to access the file share.
Either VPN or Azure ExpressRoute provides secure connections between the on-premises network and the virtual network in the cloud. If you use VPN, create a gateway by using Azure VPN Gateway. If you use ExpressRoute, create an ExpressRoute virtual network gateway. For more information, see What is VPN Gateway? and About ExpressRoute virtual network gateways.
Azure Files provides a file share in the cloud. This requires an Azure Storage account. For more information about file shares, see What is Azure Files?.
A private endpoint provides access to the file share. A private endpoint is like a network interface card (NIC) inside a subnet that attaches to an Azure service. In this case, the service is the file share. For more information about private endpoints, see Use private endpoints for Azure Storage.
The on-premises DNS server resolves IP addresses. However, Azure DNS resolves the Azure file share Fully Qualified Domain Name (FQDN). All DNS queries to Azure DNS originate from the virtual network. There's a DNS proxy inside the virtual network to route these queries to Azure DNS. For more information, see On-premises workloads using a DNS forwarder.
You can provide the DNS proxy on a Windows or Linux server, or you can use Azure Firewall. For information on the Azure Firewall option, which has the advantage that you don't have to manage a virtual machine, see Azure Firewall DNS settings.
The on-premises custom DNS is configured to forward DNS traffic to Azure DNS via a conditional forwarder. Information on conditional forwarding is also found in On-premises workloads using a DNS forwarder.
The on-premises AD DS authenticates access to the file share. This is a four-step process, as described in Part one: enable AD DS authentication for your Azure file shares
Components
- Azure Storage is a set of massively scalable and secure cloud services for data, apps, and workloads. It includes Azure Files, Azure Table Storage, and Azure Queue Storage.
- Azure Files offers fully managed file shares in an Azure Storage account. The files are accessible from the cloud or on-premises. Windows, Linux, and macOS deployments can mount Azure file shares concurrently. File access uses the industry standard Server Message Block (SMB) protocol.
- Azure Virtual Network is the fundamental building block for private networks in Azure. It provides the environment for Azure resources, such as virtual machines, to securely communicate with each other, with the internet, and with on-premises networks.
- Azure ExpressRoute extends on-premises networks into the Microsoft cloud over a private connection.
- Azure VPN Gateway connects on-premises networks to Azure through site-to-site VPNs, in much the same way as you connect to a remote branch office. The connectivity is secure and uses the industry-standard protocols Internet Protocol Security (IPsec) and Internet Key Exchange (IKE).
- Azure Private Link provides private connectivity from a virtual network to Azure platform as a service (PaaS), customer-owned, or Microsoft partner services. It simplifies the network architecture and secures the connection between endpoints in Azure by eliminating data exposure to the public internet.
- A private endpoint is a network interface that uses a private IP address from your virtual network. You can use private endpoints for your Azure Storage accounts to allow clients on a virtual network to access data over a private link.
- Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. You can configure Azure Firewall to act as a DNS proxy. A DNS proxy is an intermediary for DNS requests from client virtual machines to a DNS server.
Scenario details
Consider the following common scenario: an on-premises Windows Server is used to provide file shares for users and applications. Active Directory Domain Services (AD DS) is used to secure the files, and an on-premises DNS server manages network resources. Everything operates within the same private network.
Now, imagine the need arises to extend file shares to the cloud.
The architecture described here demonstrates how Azure can meet this need cost-effectively while maintaining the use of your on-premises network, AD DS, and DNS.
In this setup, Azure Files is used to host the file shares, while a site-to-site VPN or Azure ExpressRoute provides secure connections between the on-premises network and Azure virtual network. Users and applications access the files via these secure connections. Microsoft Entra ID and Azure DNS work together with on-premises AD DS and DNS to ensure secure access.
In summary, if you're facing this scenario, you can offer cloud-based file shares to your on-premises users at a low cost while maintaining secure access using your existing AD DS and DNS infrastructure.
Potential use cases
- The file server moves to the cloud, but the users must remain on-premises.
- Applications that are migrated to the cloud need to access on-premises files, and also files that are migrated to the cloud.
- You need to reduce costs by moving file storage to the cloud.
Considerations
These considerations implement the pillars of the Azure Well-Architected Framework, which is a set of guiding tenets that can be used to improve the quality of a workload. For more information, see Microsoft Azure Well-Architected Framework.
Reliability
Reliability ensures that your application can meet the commitments that you make to your customers. For more information, see Overview of the reliability pillar.
- Azure Storage always stores multiple copies of your data in the same zone, so that it's protected from planned and unplanned outages. There are options for creating additional copies in other zones or regions. For more information, see Azure Storage redundancy.
- Azure Firewall has built-in high availability. For more information, see Azure Firewall Standard features.
Security
Security provides assurances against deliberate attacks and the abuse of your valuable data and systems. For more information, see Overview of the security pillar.
These articles have security information for Azure components:
- Azure security baseline for Azure Storage
- Azure security baseline for Azure Private Link
- Azure security baseline for Virtual Network
- Azure security baseline for Azure Firewall
Cost optimization
Cost optimization is about looking at ways to reduce unnecessary expenses and improve operational efficiencies. For more information, see Overview of the cost optimization pillar.
To estimate the cost of Azure products and configurations, use the Azure Pricing calculator.
These articles have pricing information for Azure components:
Performance efficiency
Performance efficiency is the ability of your workload to scale to meet the demands placed on it by users in an efficient manner. For more information, see Performance efficiency pillar overview.
- Your Azure Storage accounts contain all of your Azure Storage data objects, including file shares. A storage account provides a unique namespace for its data, a namespace that's accessible from anywhere in the world over HTTP or HTTPS. For this architecture, your storage account contains file shares that are provided by Azure Files. For best performance, we recommend the following:
- Don't put databases, blobs, and so on, in storage accounts that contain file shares.
- Have no more than one highly active file share per storage account. You can group file shares that are less active into the same storage account.
- If your workload requires large amounts of IOPS, extremely fast data transfer speeds, or very low latency, then you should choose premium (FileStorage) storage accounts. A standard general-purpose v2 account is appropriate for most SMB file share workloads. For more information about the scalability and performance of file shares, see Azure Files scalability and performance targets.
- Don't use a general-purpose v1 storage account, because it lacks important features. Instead, upgrade to a general-purpose v2 storage account. The storage account types are described in Storage account overview.
- Pay attention to size, speed, and other limitations. Refer to Azure subscription and service limits, quotas, and constraints.
- There's little you can do to improve the performance of non-storage components, except to be sure that your deployment honors the limits, quotas, and constraints that are described in Azure subscription and service limits, quotas, and constraints.
- For scalability information for Azure components, see Azure subscription and service limits, quotas, and constraints.
Contributors
This article is maintained by Microsoft. It was originally written by the following contributors.
Principal author:
- Rudnei Oliveira | Senior Azure Security Engineer
Next steps
- Quickstart: Create a virtual network using the Azure portal
- What is VPN Gateway?
- Tutorial: Create and manage a VPN gateway using Azure portal
- Azure enterprise cloud file share
- Azure Virtual Network concepts and best practices
- Planning for an Azure Files deployment
- Use private endpoints for Azure Storage
- Azure Private Endpoint DNS configuration
- Azure Firewall DNS settings
- Compare self-managed Active Directory Domain Services, Microsoft Entra ID, and managed Microsoft Entra Domain Services