Configure Connectivity to Azure Files
Contoso users will likely connect to Azure Files using the SMB protocol, although NFS is also supported.
SMB uses TCP port 445 to establish connections.
Many companies and Internet service providers block this port, which is a common reason why users cannot access Azure Files.
If unblocking port 445 is not an option, you can still access Azure Files by first establishing:
- a point-to-site (P2S) virtual private network
- a site-to-site (S2S) virtual private network
- or by using an Azure ExpressRoute connection to Azure
Another solution is to use Azure File Sync to synchronize an Azure file share with a local file server, which users can still access.
Azure Storage Firewalls and Virtual Networks
Azure Storage, which includes Azure Files, offers a layered security model.
This model allows you to secure and control the level of access to storage accounts based on the type and subset of networks from which the request originates.
By default, a storage account firewall allows access from all networks, but you can modify this configuration to:
- allow only certain IP addresses
- IP address ranges
- or a list of subnets in an Azure virtual network
Firewall configuration also allows you to select trusted Azure platform services to securely access the storage account.
In addition to the default public endpoint, storage accounts (including Azure Files) offer the ability to have one or more private endpoints.
A private endpoint is accessible only within an Azure virtual network.
When you create a private endpoint for a storage account, it receives a private IP address from the virtual network’s address space, just like a local file server or NAS device receives an IP address in a local network.
This secures all traffic between the virtual network and the storage account through a private link.
💡 Tip
You can also use the storage account firewall to block all access via the public endpoint when using private endpoints.
Connecting to an Azure File Share
To use an Azure file share with Windows, you must either:
- mount it (assign it a drive letter or mount point path)
- or access it via its UNC (Universal Naming Convention) path
The UNC path includes:
- the Azure storage account name
- the domain suffix
file.core.windows.net - and the share name
For example, if the Azure storage account is named storage1 and the share is share1, the UNC path would be:
\\storage1.file.core.windows.net\share1If identity-based authentication is enabled for the storage account and you connect to an Azure file share from a domain-joined Windows device, you do not need to manually provide credentials.
Otherwise, you must provide credentials.
You can use AZURE\<storage account name> as the username and the storage access key as the password.
These same credentials are used if you connect to an Azure file share using the script provided by the Azure portal.
⚠️ Warning
Storage access keys provide unlimited access to an Azure file share.
It is recommended to use identity-based authentication whenever possible.
Azure File Share Snapshots
In Windows Server, you can create a shadow copy of a volume, which captures the state of the volume at a specific point in time.
You can then access this copy over the network using the Previous Versions feature in File Explorer.
A similar feature is available with Azure file share snapshots.
A share snapshot is a read-only copy, at a given point in time, of the data in the Azure file share.
You create a share snapshot at the file share level.
You can then restore individual files from the Azure portal or from File Explorer, where you can also restore an entire share.
You can have up to 200 snapshots per share, allowing you to restore files to different versions over time.
If you delete a share, all its snapshots are also deleted.
Share snapshots are incremental:
Only the data changed since the last snapshot is saved.
This reduces the time required to create the snapshot and helps save on storage and costs.
Use snapshots in the following situations:
- As protection against accidental deletions or unintended modifications.
A share snapshot contains a copy of the files in the share at a specific point in time. If files are mistakenly modified, you can use snapshots to review and restore previous versions of the files. - For general backup purposes.
After creating a file share, you can periodically create a snapshot. This allows you to retain earlier versions of the data, useful for future audits or disaster recovery.
