Design and Build Azure files accessed on-premises and secured by AD DS
Updated: Nov 2
About Alif : Alif empowers Microsoft MSP-CSP partners to provide exceptional IT services to their clients to ensure that the partners reduce their costs and focus on their business. We provide white-labelled managed services for technologies like Microsoft Azure, Microsoft 365, Microsoft Dynamics 365, Microsoft Security, SharePoint, Power Platform, SQL, Azure DevOps and a lot more. Our headquarter is in Pune, India whereas we work with over 50 partners across the globe that trust us with their client delivery.
Azure Files is an Azure File Storage service you can use to create a file share in the cloud. It is based on the Server Message Block (SMB) protocol and enables you to access files remotely or on-premises via API through encrypted communications. Azure Files is a cloud storage service designed for sharing files, development or debugging tools, and applications that rely on native file systems.
With Azure Files, you can create and manage your file shares using the built-in UI, through the Azure CLI or PowerShell.
Azure Files Use Cases
Azure Files is a flexible file service that allows for many use cases. It is commonly used for:
File servers—you can use Azure Files to replace network attached storage (NAS) or on-premises file systems. By adding on Azure File Sync, you can replicate data to your on-premises locations for distributed caching and increased performance.
Lift and shift migration— Azure Files enables you to migrate applications and data “as-is” by supporting current protocols. You can move either data, applications, or both.
Application shares—you can configure Azure Files as a centralized file share for application data and configuration files. However, this method only supports SMB access.
Monitoring and analytics—Azure Files enables you to centralize metrics and log files for ingestion by monitoring and analytics tools. This provides redundancy for monitoring and troubleshooting data.
Development and testing—you can use Azure Files to create a centralized repository for code or utilities used during testing and development. Centralization supports collaboration and ensures standardization.
Below are some additional pros of using Azure Files –
Fully managed service—management and maintenance tasks are handled for you, eliminating overhead.
Shared access—since it is based on SMB it is broadly compatible with most on-premises applications and services. This means you can easily migrate applications and share across distributed teams.
Redundancy—data stored in Azure Files is 99.999999999% durable and is automatically replicated to prevent loss due to resource failure.
Easy automation—Azure Files is compatible with most common automation tools and can be managed through a variety of interfaces, including PowerShell, Azure CLI, Azure Storage Explorer, and Azure Portal.
Easy APIs—includes a built-in REST API and client libraries for simplified interfacing and integration with other services.
In this architecture, Azure Files provides the file share. Site-to-site VPN or Azure ExpressRoute provides secure connections between the on-premises network and Azure virtual network. Users and applications use the connections to access the files. Azure Active Directory (Azure AD) and Azure DNS cooperate with on-premises AD DS and DNS to secure the access.
Azure Files offers fully managed file shares in an Azure Storage account. The files are accessible from the cloud or on-premises. Windows, Linux, and macOS deployments can mount Azure file shares concurrently. File access uses the industry standard Server Message Block (SMB) protocol.
Azure Virtual Network is the fundamental building block for private networks in Azure. It provides the environment for Azure resources, such as virtual machines, to securely communicate with each other, with the internet, and with on-premises networks.
Azure ExpressRoute extends on-premises networks into the Microsoft cloud over a private connection.
Azure VPN Gateway connects on-premises networks to Azure through site-to-site VPNs, in much the same way as you connect to a remote branch office. The connectivity is secure and uses the industry-standard protocols Internet Protocol Security (IPsec) and Internet Key Exchange (IKE).
Azure Private Link provides private connectivity from a virtual network to Azure platform as a service (PaaS), customer-owned, or Microsoft partner services. It simplifies the network architecture and secures the connection between endpoints in Azure by eliminating data exposure to the public internet.
A private endpoint is a network interface that uses a private IP address from your virtual network. You can use private endpoints for your Azure Storage accounts to allow clients on a virtual network to access data over a private link.
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. You can configure Azure Firewall to act as a DNS proxy. A DNS proxy is an intermediary for DNS requests from client virtual machines to a DNS server.
The Azure Well-Architected Framework provides reference guidance and best practices to apply to your architecture.
Azure Storage always stores multiple copies of your data in the same zone, so that it's protected from planned and unplanned outages. There are options for creating additional copies in other zones or regions.
Azure Firewall has built-in high availability.
Your Azure Storage accounts contain all of your Azure Storage data objects, including file shares. A storage account provides a unique namespace for its data, a namespace that's accessible from anywhere in the world over HTTP or HTTPS. For this architecture, your storage account contains file shares that are provided by Azure Files. For best performance, we recommend the following:
o Don't put databases, blobs, and so on, in storage accounts that contain file shares.
o Have no more than one highly active file share per storage account. You can group file shares that are less active into the same storage account.
o Use SSD-based storage rather than HDD. For more information about the scalability and performance of file shares.
o Don't select a general-purpose v1 storage account, because it lacks important features. The storage account types are described in Storage account overview.
o Pay attention to size, speed, and other limitations.
There's little you can do to improve the performance of non-storage components, except to be sure that your deployment honors the limits, quotas, and constraints that are described in Azure subscription and service limits, quotas, and constraints.