Azure Files SMB Access On-premises with Private Endpoints

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we extend Azure files SMB access to on-premises clients hello everyone I'm Travis and this is Ciraltos in my last video I went over setting up Azure file share SMB access for Windows AD now in public preview this video picks up where the last one left off in this video we extend access to our on-premises network over VPN and secure the storage account before that please take a second to subscribe like and share the videos if you find them helpful and click the bell icon to get notifications of new content as I said this is the second part of the video on Azure file SMB access and it picks up where the last one left off with an azure file share we can access from Azure but not from an on-premises network I'll add the link to the video above we have the share setup and we can mount it from a domain join computer in the azure v-net but when we try from our on-premises client in the domain with connectivity over the VPN it fails the reason for this is simple running and nslookup on the storage account shows that it has a public IP address the storage account is a cloud-based service and being that our azure VNet is on the same cloud access is allowed by default however clients on our on premises domain are outside of the azure ecosystem mounting the file share means that we're trying to access an SMB share over the internet that is not good due to the security concerns with publicly accessible SMB shares even if we open the share for public access which is not recommended many ISPs block SMB traffic so access would be unreliable what we need is a way to keep the SMB traffic on the VPN or Express route connection so all traffic stays on the private network something like an endpoint for file shares that's private some kind of private endpoint ah a private endpoint a private endpoint allows us to create a virtual NIC on our private v-net to access Azure resources such as the file share I have a video that goes over private endpoints and service endpoints in greater detail the link is above this video is specific to setting up a private end point for the file share to keep SMB traffic on that private network let's talk about the storage firewall the storage account is a public endpoint by default with a dns name and public IP address all access to the storage account is over the public network until we add a private endpoint by adding a private endpoint we approve traffic from any connected network by default but the public endpoint is still available we can block traffic to the public IP with a storage firewall by enabling the firewall with no rules we're essentially blocking all public traffic the important thing to remember is that the storage firewall only applies to the public traffic not the private endpoint restrictions can be added to the private endpoint as well with network security groups the demo picks up right where the last video on configuring windows a DSMB access left off we're going to create a private endpoint and then configure DNS to resolve the storage account to the private IP then will enable the firewall and test it by mounting the share on a host outside of Asia over the VPN connection here we are picking up where we left off we have our file share up here we were able to connect to it from a server on the azure v-net so now we're going to extend that functionality so we can connect to it from a server that's on the other side of a VPN this would be similar if Express wrote was in place the first thing I'm going to do is go into the server here I'm logged in as test user 3 I'm gonna run nslookup on Cirfiletest1.file.windows.net it's using my private DNS server and you can see it's returning the external IP address and the alias of cir file testa one file cored out windows net so now let's go back to that storage account and let's add a private endpoint here we are in the storage account and if we scroll down under settings as private and point connections and we're going to create a private endpoint will leave the subscription and the resource group as it is we'll give it a name I'll call it Cir file test PE and select the region I'll keep it in the same region next we'll go to resources and I'm going to connect to and Azure resource in my directory here I can see all the resource types I'll select Microsoft storage accounts and then I'll select my storage account which is Cir file tests oh 1 and now it's asking for the sub resource and file so do note if you're setting up private endpoints for a blob table queue web or DFS you would have to do this process for each one of those types I'll go to next and configure I'm going to select my beam at 0 that's my V map that I'm connected to over VPN and I'll set it to the default and we do have to integrate with private DNS I'll leave that to yes and leave the private DNS zone as private link dot file that chord and O's net now we can go to review and crate and crate so this will create the private endpoint we'll give it a minute to finish and the deployment has succeeded let's go back to the storage account here in the resource group you can see I now have a private endpoint and a NIC it gives us some information it tells us what V network connected to what network interface it's connected to if I go to the network interface we can see that the private IP address is 1000 dot v next I'll go back to the server and I've got another window I'm going to try to use that net use command let's see if we can mount it now ok so that gave me the same error Network not found okay so we're not all the way done yet let's go back to this other window where I have nslookup I'm gonna run it again so look at the difference now before we only had one Elias now we have two we've got an Elias of CI our file test1dot private link I've filed a court out windows.net next we need to make some changes to Windows DNS this is done automatically if you're using Azure DNS but we need to be on a Windows a decline for this to work so you need to use Windows DNS the client needs to resolve Cir file test1dot file that cord out windows net to an internal IP address one option would be to use hosts files just kidding that would be horrible let's go back into the portal and take a look at my V net settings my V net is set to use custom DNS servers these are my Windows DNS servers for my domain you could leave it as default and just manually update your Azure bm's with a custom DNS at any rate the client needs to use Windows DNS for this to work and in my case and probably a lot of others azure is pushing out custom DNS servers with the IP settings so the client is using custom Windows DNS we need to add a new domain in our Windows DNS and add a host record that points the fully qualified domain name to the storage account to that internal IP address however if we added the domain file that cord out windows net to the internal DNS we would have to add every other Azure file host we use in this domain that would be difficult to manage remember after adding the private link nslookup returned a new domain in the alias privatelink.file.core.windows.net this is the domain we'll use for our internal DNS we can add a host name and a private IP address to that domain to resolve internally this wait non private linked Azure file lookups will use file that cord out windows net to resolve externally I give more details about DNS and private endpoints in my video mentioned earlier let's add the zone Here I am on my DNS server and I'm going to go into forward look up zones and create a new zone we'll go next it's a primary zone all of the other settings are gonna be default it's going to all DNS servers and the zone name will be private link dot filed a cord out windows.net it will leave the rest default now that we have the zone in let's add a new host record the name of the storage account was cir file test-1 and the IP address was 10.0.0.0 back to the client and run nslookup one more time now it returns the address of 10.0.0.0 yes of cir file test1dot file that cord out windows net but it's using the private link in the name before we mount the share let's enable the firewall Here I am at the storage account again I'm gonna go to firewalls and virtual networks select network and save by simply enabling the firewall we block all traffic that isn't explicitly defined remember the firewall only applies to access to the public IP the private endpoint is attached to the be mat network security groups can be used to restrict access that way now let's go back to the client and we'll try to mount that again it completed successfully and there it is so this client is accessing the storage account over the private endpoint that has a 10.0.0.0 IP address and this client is on my 192 168 200 network so it's accessing that endpoint over the VPN tunnel that's it for the video I hope you found it helpful don't forget to Like subscribe share and click the bell icon to get updates of new content thanks for watching

Info

Channel: Travis Roberts

Views: 15,178

Rating: 4.986711 out of 5

Keywords: Azure, Azure AD, Windows AD, Active Directory, Azure AD Domani Services, SMB, NTFS, File Share, Root Directory, Service Account, Kerberos, token, Azure Files Security, File Server, VPN, Express Route, DNS, privatelink

Id: 7ZxA7uy05bU

Channel Id: undefined

Length: 11min 2sec (662 seconds)

Published: Fri May 01 2020