Connecting Securely to Microsoft Azure Service with SFTP or SFTP

Collect information about your virtual machine instance from your instance dashboard on Azure Management Portal:

• Host name: DNS name section on a Quick glance sidebar. Host name has a form name.cloudapp.net.
• Host key fingerprint: SSH Certificate Thumbprint section.
• Consider setting up public key authentication.

To connect to a virtual machine instance with SFTP, start WinSCP. Login dialog will appear. On the dialog:

• Make sure New site node is selected.
• On the New site node, make sure SFTP protocol is selected.
• Enter Host name.
• Enter azureuser for User name.
• Enter your instance password.
• Save your site settings using the Save button.
• Login using the Login button.
• Verify the host key by comparing fingerprints with those collected before (see above). The thumbprint as shown on dashboard uses a slightly different format than a fingerprint used by WinSCP. Particularly the thumbprint does not include key type and size in the front and lack color separators. I.e. WinSCP’s fingerprint ssh-rsa 2048 aa:bb:cc… is equivalent to dashboard thumbprint aabbcc….

First you need to install a FTPS server on the virtual machine:

• RDP to the machine:
  • On your instance dashboard on Azure Management Portal click on Connect on the bottom bar.
  • “Open” the .rdp file and connect to the server.
• Once connected to the server, in Server Manager go to Manage > Add Roles and Features.
• In the Add Roles and Features wizard:
  • On Installation Type step, select Role-based and Feature-based installation.
  • On Server Roles step, select Web Server (IIS).
  • On Web Server Roles (IIS) > Role Services page, select FTP Server (unselect Web Server, if you do not need it).
  • Confirm by clicking Install and wait for installation to finish.
• Open Internet Information Services (IIS) Manager
  • Go to Sites node.
  • Depending on your needs, either select Add FTP Site or Add FTP Publishing for your web site.
  • On the wizard you should enable Basic authentication, select Require SSL and select pre-generated SSL certificate (or request a new one).
  • On your site node, select FTP Firewall support. Enter Data Channel Port Range, e.g. 5000-5100. With narrow range, you will be able to provision endpoint in Azure Management Portal. With wide rage, you will have to automate this with PowerShell. In External IP Address of Firewall, enter Public virtual IP (VIP) address from the instance dashboard.
• Provision endpoint for FTP data channels according to the range you specified in previous step:
  • For narrow range, provision the ports one-by-one on Endpoints tab of your instance page on Azure Management Portal. For each port of the range, add “standalone-alone” port with the same private and public port and unique name (e.g. “FTP-data-5000”). Keep TCP protocol and other options to thei default (unchecked) values.
  • For wide range, you should better automate the task using PowerShell Add-AzureEndpoint cmdlet.

For more details, see Setting up a Passive FTP Server in Windows Azure VM. Though note that contrary to what this guide shows, we do recommend you to require SSL connections and disallow anonymous authentication.

TODO

Collect information about your web site from your web site dashboard on Azure Management Portal:

• URL: Copy URL from FTPS host name section on a Quick glance sidebar.
• User Name: See Deployment / FTP user section. If you did not set up FTP account yet, use Set up deployment credentials link. User name has form website\user. You need to use both parts when authenticating.

To connect to a web site with FTPS, start WinSCP. Login dialog will appear. On the dialog:

• Make sure New site node is selected.
• On the New site node, Paste FTPS host name URL (use Ctrl-V or Manage > Paste Session URL). This selects FTP protocol, TLS/SSL Implicit encryption and inserts Host name. Host name has a form name.azurewebsites.net.
• Enter User name and Password (had you forgotten your password, use Reset your deployment credentials link on the web site dashboard).
• Save your site settings using the Save button.
• Login using the Login button.
• Web site TLS/SSL certificate is signed by a trusted authority, so you won’t be prompted to verify it.

Instead of copying URLs from dashboard to WinSCP, you can also directly click on the link to open the session in WinSCP. After entering your credentials and opening session, go to Session > Save Session as Site to save your opened site for future use.

• Guide to uploading files to SFTP/FTPS server;
• Guide to automating operations (including upload);
• Guide to connecting to Amazon EC2 server with SFTP.