1

I've been reading around mounting Azure storage account file shares on a Linux web app: https://learn.microsoft.com/en-us/azure/azure-functions/scripts/functions-cli-mount-files-storage-linux

This works fine, and I've confirmed I can write to the fileshare from my function without using any REST endpoints. However, everything I've read (https://github.com/projectkudu/kudu/wiki/Azure-Web-App-sandbox) implies that port 445 is blocked by default within function apps.

So, how is the connection from my function app to the file share enabled?

Aegir
  • 117
  • 11

1 Answers1

0

Yes! It is not recommended to use the PING command directly to verify network connectivity to a public DNS name or IP address because PING is usually forbidden. You could use PowerShell command Test-NetConnection -Port 445 -ComputerName somestoragexxx.file.core.windows.net to verify the port 445 on the dev machine.

If TCP 445 connectivity fails, make sure your ISP or on-premise network security is not blocking outbound port 445. Please be aware that you should open outbound port 445 rather than inbound port 445.

As a test result, on my local machine, TCP test port 445 is false.

enter image description here

On the Azure VM, TCP test port 445 is true, and I could access the storage file share successfully.

enter image description here

Additionally, port 445 always is not allowed to access over the Internet. You could use different ways to access files in Azure Files.

In the above link, there are many ways to access Azure File share service. If your outbound port 445 is also blocked by your Firewall or ISP, please check this solution to resolve it and also refer this SO Thread.

Note:

You can mount the file share on your local machine by using the SMB 3.0 protocol, or you can use tools like Storage Explorer to access files in your file share. From your application, you can use storage client libraries, REST APIs, PowerShell, or Azure CLI to access your files in the Azure file share.

  • Hey, thanks for the answer. I'm not so much interested about on-premise machines, the question was really about Azure app service. Do you know whether there is a way to confirm that 445 is being used between my function app and the file share on the azure storage account? – Aegir Nov 21 '21 at 19:25
  • Networking configuration for Azure file shares is done on the Azure storage account. Azure Storage provides a [layered security model](https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security?toc=/azure/storage/files/toc.json&tabs=azure-portal). To access azure file share from the azure portal, you do not have any restrictions to ports as it is configured by default to all networks in networking menu in azure storage account for the function app. –  Nov 22 '21 at 04:36
  • To restrict any IP addresses, you can configure the [VNet Integration](https://learn.microsoft.com/en-us/azure/cloud-shell/private-vnet) to your function app storage account so that only allowed Ip addresses and ports will be used to access any files shares inside your function app storage account. –  Nov 22 '21 at 04:36
  • Hey, thanks for the reply. I think I might not be explaining my issue too well. In one of the links from my post, you can see port 445 is blocked from Azure app services. If I mount a fileshare to that app service, it still works. So, is port 445 not blocked from app services any more? Or is it using a different port than 445 to mount my share? – Aegir Nov 22 '21 at 08:11
  • Please ensure that the port 445 is opened, it means your ISP or corporate network is not blocked this port or you may using VPN. If you are unable to open up port 445 on your corporate network or are blocked from doing so by an ISP, you may use a VPN connection or ExpressRoute to work around port 445. For more information, refer [here](https://learn.microsoft.com/en-us/azure/storage/files/storage-how-to-use-files-linux?tabs=smb311) –  Nov 22 '21 at 08:52
  • Hey, unfortunately you haven't really answered my question sorry – Aegir Nov 25 '21 at 16:57