Connecting Securely to Microsoft Azure Service with SFTP or FTPS

Collect information about your virtual machine instance from your instance dashboard on Azure Management Portal:

• Host name: DNS name section on a Quick glance sidebar. Host name has a form name.cloudapp.net.
• Host key fingerprint: SSH Certificate Thumbprint section.
• Consider setting up public key authentication.

To connect to a virtual machine instance with SFTP, start WinSCP. Login dialog will appear. On the dialog:

• Make sure New site node is selected.
• On the New site node, make sure SFTP protocol is selected.
• Enter Host name.
• Enter azureuser for User name.
• Enter your instance password.
• Save your site settings using the Save button.
• Login using the Login button.
• Verify the host key by comparing fingerprints with those collected before (see above). The thumbprint as shown on dashboard uses a slightly different format than a fingerprint used by WinSCP. Particularly the thumbprint does not include key type and size in the front and lack color separators. I.e. WinSCP’s fingerprint ssh-rsa 2048 aa:bb:cc… is equivalent to dashboard thumbprint aabbcc….

First you need to install a FTPS server on the virtual machine:

• RDP to the machine:
  • On your instance dashboard on Azure Management Portal click on Connect on the bottom bar.
  • “Open” the .rdp file and connect to the server.
• Once connected to the server, follow guide to installing secure FTP Server on Windows using IIS. When installing, bear in mind:
  • Microsoft Azure Windows servers come with self-signed certificate, so you do not need to create one.
  • Microsoft Azure Windows servers are behind a firewall, so you need to configure FTP server accordingly.
• Provision endpoint for FTP control connection:
  • On Endpoints tab of your instance page on Azure Management Portal, click Add on bottom bar.
  • On Add an endpoint to a virtual machine step, select Add a stand-alone endpoint.
  • Proceed to Specify the details of the endpoint step and select FTP in Name box.
  • Complete the wizard and wait for the endpoint to be configured.
• Provision endpoints for FTP data connections according to the range you specified when setting up the FTP server:
  • For a narrow range, provision the ports one-by-one on Endpoints tab of your instance page. For each port of the range, add a “standalone-alone” port with the same private and public port and a unique name (e.g. “FTP-data-5000”).
  • For a wide range, you should better automate the task using PowerShell Add-AzureEndpoint cmdlet.

To connect to the instance with FTPS, start WinSCP. Login dialog will appear. On the dialog:

• Make sure New site node is selected.
• On the New site node, select FTP protocol and TLS Explicit encryption.
• In Host name box enter a host name of your instance in format instance.cloudapp.net. You will find it in DNS Name section on Quick glance sidebar of your instance dashboard on Azure Management Portal.
• Enter username and password of an account you want to connect with. Use the account you have specified when creating the instance or any other account you have created on the instance.
• Save your site settings using the Save button.
• Login using the Login button.
• If you are using self-signed certificate, you will be prompted to accept it.

Collect information about your web site from your web site dashboard on Azure Management Portal:

• URL: Copy URL from FTPS host name section on a Quick glance sidebar.
• User Name: See Deployment / FTP user section. If you did not set up FTP account yet, use Set up deployment credentials link. User name has form website\user. You need to use both parts when authenticating.

To connect to a web site with FTPS, start WinSCP. Login dialog will appear. On the dialog:

• Make sure New site node is selected.
• On the New site node, Paste FTPS host name URL (use Ctrl-V or Manage > Paste Session URL). This selects FTP protocol, TLS/SSL Implicit encryption and inserts Host name. Host name has a form name.azurewebsites.net.
• Enter User name and Password (had you forgotten your password, use Reset your deployment credentials link on the web site dashboard).
• Save your site settings using the Save button.
• Login using the Login button.
• Web site TLS/SSL certificate is signed by a trusted authority, so you won’t be prompted to verify it.

Instead of copying URLs from dashboard to WinSCP, you can also directly click on the link to open the session in WinSCP. After entering your credentials and opening session, go to Session > Save Session as Site to save your opened site for future use.

• Guide to uploading files to SFTP/FTPS server;
• Guide to automating operations (including upload);
• Guide to connecting to Amazon EC2 server with SFTP.