Creating an FTP Site in Azure with Azure Storage File Share
If you want to host an FTP site in Azure there’s currently not a dedicated resource for this so the next best option is to spin up a virtual machine and use IIS for running the FTP site. It’s also possible to set the FTP site to use an Azure Storage file share to host the files, from there they can either be accessed via UNC or moved directly to blob storage.
When creating a virtual machine in Azure a bunch of other resources get created along with it such as a network interface and a virtual network so I’d advise creating a new resource group to hold all of these to make them easier to manage.
I initially created a B1S virtual machine but this didn’t have enough RAM to install IIS so the cheapest machine I’d suggest using for this is the B2S.
When you create the VM the main things to watch out for are that the storage account should have a name of 20 characters or less and that the name is not the same as that for the VM. You’ll also need to allow traffic on port 22 to allow you to remote desktop into it.
Once your VM has been provisioned go to it’s networking settings in the Azure portal and add port 21 and the range 9990-10000 to it’s inbound ports.
Azure Storage File Share
Within the Azure Storage account that’s created when you provision the VM go to Files and add a file share, when this has created click on it in the portal and then click Connect, this will open a blade containing PowerShell commands for adding the file share as a UNC drive to a Windows machine, copy this code and save it somewhere as you’ll need it later.
Log into the VM using the admin credentials set at creation and open PowerShell, run the code copied from the file share blade in the Azure portal to add it as a UNC drive.
Next you need to install IIS on your server, this can be done from the Server Manager dashboard by choosing Add Roles and Features from the Manage menu and choosing the following options as specified here.
- Proceed to Installation Type step and confirm Role-based or feature-based installation.
- Proceed to Server Roles step and check Web Server (IIS) role. Note that it is checked already, if you had IIS installed as a Web Server previously. Confirm installing IIS Management Console tool.
- Proceed to Web Server Role (IIS) > Role Services step and check FTP Server role service. Uncheck Web Server role service, if you do not need it.
- Proceed to the end of the wizard and click Install.
- Wait for the installation to complete.
In order to have your FTP server play nicely with the Azure Storage file share you need to create a user capable of logging into the file share as the UNC path needs to be referenced rather than the mapped drive used within Windows which was added by the PowerShell commands above, as explained here.
Users can be added though Tools > Computer Management in the Server Manager. The username should be the name of the storage account and as usernames can’t be over 20 characters long or have the same name as the VM this is the reason for the restrictions in naming our storage account earlier. The password should be the access key for the storage account and “User cannot change password” and “Password never expires” should be selected. This user should then be added to the IIS_IUSRS group.
Once the connecting user has been added you need to create the FTP site, this is done from Tools > Internet Information Services (IIS) Manager in the Server Manager.
First add the ports that you opened in the Azure Firewall to the FTP Firewall Support setting at the server level, the external IP address should be that of your VM.
Next, right click in Sites and add a new FTP site, the physical path parameter should be the UNC path to your file share, rather than the drive alias used by Windows.
When creating an FTP site you should disallow anonymous authentication and use basic, users can be granted access by adding them in the local users step above an either assigning them to a relevant group or just granting all users of the machine access to the FTP site.
You will now have an FTP site set up and available but if you try to connect to it you’ll get an access denied error, this is because FTP on IIS fails to pass through the credentials and so you need to set these explicitly. This is done from the Basic Settings dialog in the right hand menu bar of the FTP site, within the connect as section of this enter the username and password of the user you created earlier (this will be the name of your storage account and the access key), once done save and then test the connection settings.
The FTP site should now be up and running and uploaded files saved on the Azure file share!
My ultimate goal for this was to get the uploaded files into Azure Blob Storage, however the file share is separate to this and so the files still need to be moved once uploaded, this can be done by setting up a logic app (among other methods) but I haven’t got round to doing this yet. Another option would also be to have a console app monitoring the FTP folder and then transferring the files over once they’ve been uploaded, this would also do away with the need for the fileshare.