Setup secure FTP on Azure Windows VM with IIS in 4 easy steps

  1. Install FTP Server on Windows VM
  2. Verify that Windows Firewall has the right ports open
  3. Open the same ports on Azure firewall: Portal or Classic
  4. Add FTP to a website on Azure Windows VM

That’s it! You can now connect using WinSCP

Install FTP Server on Windows VM

Using the Add Roles and Features wizard, add the FTP Server Role

ftp1

Verify that Windows Firewall has the right ports open

Under FTP Server Passive, under Protocols and Ports settings, either note the default range of ports (1024-65535) or set your own default range (e.g 5000-5100 or similar).

ftp7

Open the same ports on Azure firewall using the Azure Portal

  • On the Network interfaces page of your virtual machine, select its network interface.
  • On the Network security group page of the network interface, select its security group.
  • Create security rule for the FTP control connection:
    • On the Inbound security rules page of the security group, click Add in the top bar.
    • Type “FTP” in the Name box.
    • Select the FTP in the Service field.
    • Click the OK button and wait for the rule to be created.
  • Create security rule for FTP data connections according to the range you specified:
    • On the Inbound security rules page of the security group, click Add in the top bar.
    • Type “FTP-data” in the Name box.
    • Keep the Custom in the Service field.
    • Type port range in a format min-max (e.g. 5000-5100) in the Port range box.
    • Click the OK button and wait for the rule to be created.

Open the same ports on Azure firewall using the Classic Portal and Powershell

  • Provision endpoint for FTP control connection:
    • On Endpoints tab of your instance page on Azure Management Portal, click Add on bottom bar.
    • On Add an endpoint to a virtual machine step, select Add a stand-alone endpoint.
    • Proceed to Specify the details of the endpoint step and select FTP in Name box.
    • Complete the wizard and wait for the endpoint to be configured.
  • Provision endpoints for FTP data connections according to the range you specified when setting up the FTP server:
    • Run Microsoft Azure PowerShell from a Start menu.
    • Login using Add-AzureAccount command
    • Enter Get-AzurePublishSettingsFile command to download the .publishsettings file for your Windows Azure subscription.
    • Paste the following code to PowerShell console:

Import-AzurePublishSettingsFile C:\Users\usernam\Documents\Bizspark-credentials.publishsettings
$VM = Get-AzureVM -ServiceName “winscp-windows” -Name “winscp-windows”
for ($Port = 5000; $Port -le 5100; $Port++)
{
$VM = $VM | Add-AzureEndpoint -Name “FTP-Data-$Port” -Protocol ‘TCP’ -LocalPort $Port -PublicPort $Port
}
$VM | Update-AzureVM

Add FTP to a website with in-built cert on Azure Windows VM

Azure Windows VMs have a built-in SSL certificate. We will use this certificate to configure FTP over SSL. Note: you can bring your own certificate.

Navigate to the website under IIS and Add FTP Publishing. Make sure SSL option is set to required,

ftp6

In the next step, select Basic Authentication and disallow Anonymous. Add the dedicated FTP user (pre-existing Windows user) and give appropriate R/W privileges.

ftp8

Under FTP Firewall Support settings, add the correct port range and set external IP address (usually available on Azure VM desktop)

ftp4

That’s it! You can now connect using WinSCP

Adapted from this article

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s