Share via

SFTP Access to Storage account blob storage using Private endpoint for Specific Internet IP's

BalajiNext 0 Reputation points
2025-04-17T13:17:50.55+00:00

Dear Friends,

I want to solve a use case as below,

On-Prem DC is connected to Azure via Express route (No Azure Firewall is used), Azure resources Internet in/out connectivity is via On-Prem Firewall only.

I have a storage account (SFTP enabled) blob storage which needs to be accessed by 3rd parties from Internet (Specific IP's) to place the files. Organization does not want to allow direct public access to be enabled on storage firewall for this & want other solution. I have disabled storage firewall for Public Access & created a Private Endpoint (which gives me a private IP). Now need suggestion to solve this puzzle.

If I get a Public IP & configure NAT on On-Prem firewall with the private IP of Private Endpoint, will it work to gain access to storage account blob storage from Internet?

What would be the correct blob storage path that needs to be provided to the 3rd party to place the file?

Is there any other alternative option to achieve this ?

Thank you in advance for your answers.

--Regards, BB

Azure Blob Storage
Azure Blob Storage
An Azure service that stores unstructured data in the cloud as blobs.
3,143 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hari Babu Vattepally 2,715 Reputation points Microsoft External Staff
    2025-04-17T16:41:36.4766667+00:00

    Hi @BalajiNext,

    In order to securely have access to SFTP enabled Blob Storage for third parties from the specific IPs.By configuring NAT on your on-premises firewall with the private IP of the private endpoint can work. Here, assign a public IP on your on-prem firewall and configure NAT rules to map the public to private IP of the private endpoint.Once the public IP configured. Allow the inbound traffic from specific third-party IPs to the public IPs on port 22 (SFTP) and please make sure that the NAT rule translates this traffic to the private endpoint's private IP.

    Then provide the third-party IPs with the below SFTP connection string:

    <storage-account-name>.<local-user>@<public-IP>

    Replace <storage-account-name> with your storage account name, <local-user> with the SFTP user, and <public-IP> with the public IP of your on-prem firewall.

    Also, please make sure that the DNS resolution for the private endpoint is exactly configured on your on-prem networks.

    However, please try an alternative option as is to set up a secure application or service on your on-premises network to act as a proxy for SFTP access. This service would manage the SFTP connections from third parties and then securely transfer the files to Azure Blob Storage using the private endpoint.I hope by following the above will help in resolving the issue.

    Please let us know in the comments below, if the issue is resolved or still persists. We will be glad to assist you closely.

    Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members. Accepted answers show up at the top, resulting in improved discoverability for others.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.