top of page

Design and Build Azure files accessed on-premises and secured by AD DS

Updated: Dec 25, 2023

Azure File

Azure Files is an Azure File Storage service you can use to create a file share in the cloud. It is based on the Server Message Block (SMB) protocol and enables you to access files remotely or on-premises via API through encrypted communications. Azure Files is a cloud storage service designed for sharing files, development or debugging tools, and applications that rely on native file systems.

With Azure Files, you can create and manage your file shares using the built-in UI, through the Azure CLI or PowerShell.

Azure Files Use Cases

Azure Files is a flexible file service that allows for many use cases. It is commonly used for:

File servers

you can use Azure Files to replace network attached storage (NAS) or on-premises file systems. By adding on Azure File Sync, you can replicate data to your on-premises locations for distributed caching and increased performance.

Lift and shift migration

Azure Files enables you to migrate applications and data “as-is” by supporting current protocols. You can move either data, applications, or both.

Application shares

you can configure Azure Files as a centralized file share for application data and configuration files. However, this method only supports SMB access.

Monitoring and analytics

Azure Files enables you to centralize metrics and log files for ingestion by monitoring and analytics tools. This provides redundancy for monitoring and troubleshooting data.

Development and testing

you can use Azure Files to create a centralized repository for code or utilities used during testing and development. Centralization supports collaboration and ensures standardization.

Below are some additional pros of using Azure Files

Fully Managed Service

Management and maintenance tasks are handled for you, eliminating overhead.

Shared Access

Since it is based on SMB it is broadly compatible with most on-premises applications and services. This means you can easily migrate applications and share across distributed teams.

Redundancy

Data stored in Azure Files is 99.999999999% durable and is automatically replicated to prevent loss due to resource failure.

Easy Automation

Azure Files is compatible with most common automation tools and can be managed through a variety of interfaces, including PowerShell, Azure CLI, Azure Storage Explorer, and Azure Portal.

Easy APIs

Includes a built-in REST API and client libraries for simplified interfacing and integration with other services.


In this architecture, Azure Files provides the file share. Site-to-site VPN or Azure ExpressRoute provides secure connections between the on-premises network and Azure virtual network. Users and applications use the connections to access the files. Azure Active Directory (Azure AD) and Azure DNS cooperate with on-premises AD DS and DNS to secure the access.


Architecture


Azure File

Components

Azure Storage

Azure Storage is a set of massively scalable and secure cloud services for data, apps, and workloads. It includes Azure Files, Azure Table Storage, and Azure Queue Storage.

Azure Files

Azure Files offers fully managed file shares in an Azure Storage account. The files are accessible from the cloud or on-premises. Windows, Linux, and macOS deployments can mount Azure file shares concurrently. File access uses the industry standard Server Message Block (SMB) protocol.

Azure Virtual Network

Azure Virtual Network is the fundamental building block for private networks in Azure. It provides the environment for Azure resources, such as virtual machines, to securely communicate with each other, with the internet, and with on-premises networks.

Azure ExpressRoute

Azure ExpressRoute extends on-premises networks into the Microsoft cloud over a private connection.

Azure VPN Gateway

Azure VPN Gateway connects on-premises networks to Azure through site-to-site VPNs, in much the same way as you connect to a remote branch office. The connectivity is secure and uses the industry-standard protocols Internet Protocol Security (IPsec) and Internet Key Exchange (IKE).

Azure Private Link

Azure Private Link provides private connectivity from a virtual network to Azure platform as a service (PaaS), customer-owned, or Microsoft partner services. It simplifies the network architecture and secures the connection between endpoints in Azure by eliminating data exposure to the public internet.

Azure Private Endpoint

A private endpoint is a network interface that uses a private IP address from your virtual network. You can use private endpoints for your Azure Storage accounts to allow clients on a virtual network to access data over a private link.

Azure Firewall

Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. You can configure Azure Firewall to act as a DNS proxy. A DNS proxy is an intermediary for DNS requests from client virtual machines to a DNS server.


Considerations

The Azure Well-Architected Framework provides reference guidance and best practices to apply to your architecture.

Availability

  • Azure Storage always stores multiple copies of your data in the same zone, so that it's protected from planned and unplanned outages. There are options for creating additional copies in other zones or regions.

  • Azure Firewall has built-in high availability.


Performance

  • Your Azure Storage accounts contain all of your Azure Storage data objects, including file shares. A storage account provides a unique namespace for its data, a namespace that's accessible from anywhere in the world over HTTP or HTTPS. For this architecture, your storage account contains file shares that are provided by Azure Files. For best performance, we recommend the following:

o Don't put databases, blobs, and so on, in storage accounts that contain file shares.

o Have no more than one highly active file share per storage account. You can group file shares that are less active into the same storage account.

o Use SSD-based storage rather than HDD. For more information about the scalability and performance of file shares.

o Don't select a general-purpose v1 storage account, because it lacks important features. The storage account types are described in Storage account overview.

o Pay attention to size, speed, and other limitations.


99 views0 comments

Recent Posts

See All

Comments


bottom of page