The Definitive Guide | Serverless File Share on Azure
The power of cloud computing is incredible, and we can do a lot of things using Azure, AWS, and GCP. Unfortunately, it is common to see pesky Windows file servers residing on-premises servers, used by many legacy applications. What do you do? Create a file server (without a server), secure, and with the possibility of using it by VPN or direct link — saying goodbye to internet access.
I will show step by step how to build a perfect serverless file share on Microsoft Azure. Go ahead!
Whats is Serverless?
Serverless is a cloud systems architecture that involves no bare metal servers, virtual machines, or containers to provide a service. It is the act of abstract a service and, using the power of the cloud, making it available independently of a server.
The Azure file share and no public access.
Azure Files offers a fully managed serverless file share solution in the cloud, and it can be accessed using the industry standard Server Message Block (SMB) protocol or Network File System (NFS) protocol.
By default, the access won’t extend to an on-premise network over VPN or Express Route, otherwise, we can do these accesses to an Azure Files share using Private Endpoint. And, for a better and integrated service, we will enable identity-based access. It will authorize the access of this storage account for user accounts located on Domain Controller.
For this tutorial, I will cover step by step how to make all these possible. Below is a simple topology. In the next text is a resume and explanation about the necessary resources.
Solution operation resume.
The important resources | Step 1:
- 2 Active Directory Serves. We can use one server, but I think it is a great opportunity to understand an example of High Availability AD. AD Principal (10.0.0.4) and AD Backup (10.0.0.5);
- 1 Azure File Share. With public access at this moment;
- 1 Virtual Network Gateway. It is important to access the Azure Cloud using Private IP. In this case, we will use a VPN P2S but, in the same way, you can use VPN S2S and ExpressRoute;
- 1 VM Test. A Virtual Machine to test the solution outside the Active Directory Servers. Remember to join this VM on the domain!
(A piece of) the secret | Step 2:
- 1 Private Endpoint. The private link enables us to access resources using a private network. The Private IP of the endpoint is 10.0.1.4.
Deploys and tests!
1. Create the Active Directory with 2 Domain Controllers.
This template creates 2 new VMs to be AD DCs (primary and backup) for a new Forest and Domain.
https://azure.microsoft.com/en-us/resources/templates/active-directory-new-domain-ha-2-dc/Smart tip! Family A and B are recommended for non-productive environments.
2. Deploy a storage account.
Attention! Make sure your storage account name is no longer than 15 characters!
Deploy the file share.
Create/upload some folders and files.
3. Create a Virtual Network Gateway to access using VPN Point-to-Site.
Create a self-signed root certificate
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=P2SRootCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSignGenerate a client certificate
New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
-Subject “CN=P2SChildCert” -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation “Cert:\CurrentUser\My” `
-Signer $cert -TextExtension @(“2.5.29.37={text}1.3.6.1.5.5.7.3.2”)For more details, see the Microsoft documentation:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-siteEnable the Point-to-Site.
Download and install the VPN client.
4. Deploy a Test VM.
And remember to join this VM on the domain.
Set the Public IP as none.
The VM private IP in this case is 10.0.0.6
5. Trying to access the VMs.
Accessing the VMs without VPN P2S.
Accessing the VM with VPN P2S.
6. Testing the Azure file share.
Check the file share address copying the URL.
Part the value in a notepad as below.
Our example: tipisitfile.file.core.windows.net
By default, all storage account allows access from all networks, including public access. Execute the nslookup and it will show a Microsoft public access.
nslookup tipisitfile.file.core.windows.net7. For private access, it is necessary to create a private endpoint.
Set the correct target as a file.
Integrate the private endpoint with Azure private DNS zone, as the image.
Below we can see the new resources deployed.
7. Testing the Azure file share again.
Execute the nslookup on PowerShell or CMD.
nslookup tipisitfile.file.core.windows.netNow it is possible to see a second alias: tipisitfile.privatelink.file.core.windows.net
8. Disable public access.
Click in Selected networks and Save. This change will keep our storage account accessible only by private endpoint connections.
9. Check if the VNet (or VMs) are pointing to the Domain Controllers’ Address.
If not, change the DNS Servers to Custom and add your AD DCs IPs.
Below are the primary and secondary Active Directory Domain Controller Servers.
10. Create a new primary zone.
The zone name is: privatelink.file.core.windows.net
Add a new A record.
Add the file share name and the private endpoint IP.
In this case, tipisitfile and 10.0.1.4.
The record was successfully created.
11. Testing the Azure file share again.
nslookup tipisitfile.file.core.windows.netIt is possible to access now using the Private IP 10.0.1.4.
Enable Identity-based access
It is an important step to enable users and groups to access this file share.
1. Download the Azure AD Connect on AD DC.
2. Install the file.
You may see the alert below.
If you see that, execute these commands on Power Shell
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-tls-enforcement
New-Item 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -name 'SystemDefaultTlsVersions' -value '1' -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-NullNew-Item 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -name 'SystemDefaultTlsVersions' -value '1' -PropertyType 'DWord' -Force | Out-NullNew-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-NullNew-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
Write-Host 'TLS 1.2 has been enabled.'
TLS 1.2 has been enabled.
3. Configure the Azure AD Connect.
Use an account with Global Administrator role to connect to Azure AD.
Use an account with Enterprise Administrator role to connect to AD DS.
After the authentications, configure.
The sync will be initiated, and the groups and users will be showing on Azure Active Directory. Amazing!
AD Connect enabled on Azure.
AD Groups on Azure.
4. Preparing the AD server.
Download the AzFilesHybrid using Invoke-WebRequest or Curl. Only to have many possibilities, we will install the Chocoatey. Wait a few seconds for the command to complete.
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))With the Chocolatey, install the Curl. Wait a few seconds again.
choco install curl
We will use the command below:
curl -o AzFilesHybrid.zip https://github.com/Azure-Samples/azure-files-samples/releases/download/v0.2.3/AzFilesHybrid.zip
Only as an alternative, use the command below too. In this case, it will be downloaded on C: driver.
Invoke-WebRequest -Uri https://github.com/Azure-Samples/azure-files-samples/releases/download/v0.2.3/AzFilesHybrid.zip -OutFile “C:\AzFilesHybrid.zip”If you see this same error, the cause is Powershell by default uses TLS 1.0 to connect to the website, but website security requires TLS 1.2. You can change this behavior by running any of the below commands to use all protocols. You can also specify a single protocol.
Commands:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls, [Net.SecurityProtocolType]::Tls11, [Net.SecurityProtocolType]::Tls12, [Net.SecurityProtocolType]::Ssl3
[Net.ServicePointManager]::SecurityProtocol = "Tls, Tls11, Tls12, Ssl3"Use Invoke-WebRequest again, saving the zip file on C: driver.
Invoke-WebRequest -Uri https://github.com/Azure-Samples/azure-files-samples/releases/download/v0.2.3/AzFilesHybrid.zip -OutFile “C:\AzFilesHybrid.zip”
Extract the file in the same directory and access them using cd PowerShell. Ls to list the files.
cd C:\AzFilesHybrid\
ls 
Change the execution policy to unblock importing AzFilesHybrid.psm1 module
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
Attention! Run inside the correct folder, as in the image above, copying the files into your path.
.\CopyToPSPath.ps1Import AzFilesHybrid module. Only a disclaimer: remember to close all power shell sessions after that, and use a new one for the next commands.
Import-Module -Name AzFilesHybrid
To join the storage account, install the Az Module.
Install-Module -Name Az -Scope CurrentUser -Repository PSGallery -Force
Wait a few moments.
Connect to the Azure using the command below. Login with an Azure AD credential that has either the storage account owner or contributor Azure role assignment.
Connect-AzAccount
You will connect and confirm as below.
Join the storage account, using your own parameters.
Join-AzStorageAccount -ResourceGroupName “rg-servelessfileshare” -StorageAccountName “tipisitfile” -Domain “tipisit.com.br” -DomainAccountType ComputerAccount
5. Check the Identity-based access on your Azure file.
On the storage account, check if identity-based access has been enabled.
6. Add the group or user.
Add the group or user who will access the file share. Remember to assign the role Storage File Data SMB Share Elevated Contributor for them.
7. Test the connection with the file share.
Test-NetConnection -ComputerName tipisitfile.file.core.windows.net -CommonTCPPort SMB
Resolve-DnsName -Name tipisitfile.file.core.windows.net
Get-AzStorageAccountADObject -ResourceGroupName “rg-servelessfileshare” -StorageAccountName “tipisitfile”
Displays a list of currently cached Kerberos tickets using:
klist
8. Mount the volume without user and password.
Now we have a file share with Identity-based and private access.
In this example, I logged into the server with a domain user from the serverlessfileshare group, which has Storage File Data SMB Share Elevated Contributor role. The IP address of the server is 10.0.0.6.
\\tipisitfile.file.core.windows.net\tipisitfile
If your domain user is in the correct group, it will be possible to see the files and folders inside the file share.
Conclusion
Cloud solutions enable many possibilities, and this solution is awesome and ideal for keeping data safe, with restricted access and easy administration.
Let’s go and tell me what do you think about this solution!
Reference
- ServerlessOps, Serverless: What Is It & Why It Matters?, www.serverlessops.io/what-is-serverless;
- Microsoft Docs, What is Azure Files?, 23 Jun. 2021, https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction.
