Open menu

Learn

Microsoft's native Azure Blob SFTP Limitations

Microsoft's Azure Blob Storage supports the Secure File Transfer Protocol (SFTP), which provides secure file transfer capabilities over the Secure Shell (SSH) network protocol. However, as with any technology, there are limitations and known issues with Azure Blob's SFTP support. This article will explore these limitations, offering potential users a clear understanding of the capabilities and constraints of this service.

Unsupported Clients

Certain clients are known to be incompatible with SFTP for Azure Blob Storage. As of April 2023, these include:
  • Five9
  • Kemp
  • Mule
  • paramiko 1.16.0
  • SSH.NET 2016.1.0
  • This list is not exhaustive and may evolve over time, with new incompatibilities discovered and existing ones addressed.

    Client Settings

    It is important to note that certain client settings can cause degraded performance or failures during large file uploads. For instance, when using WinSCP, it is recommended to disable the 'Enable transfer resume/transfer to temporary filename' option under 'Transfer - Endurance' in the Preferences dialog. Leaving this option enabled can lead to issues during large file transfers.

    Unsupported Operations

    Azure Blob Storage's SFTP support does not support some operations. These unsupported operations span several categories, including ACLs, resuming uploads, random writes and appends, links, capacity information, certain extensions, SSH commands, multi-protocol writes, and rename operations. An attempt to perform these unsupported operations will return an error.

    Authentication and Authorization

    At present, local users are the only form of identity management supported for the SFTP endpoint. This restricts the flexibility and scalability of managing user identities when using SFTP with Azure Blob Storage.

    Networking

    For networking, there are a few important limitations to note. To access the storage account using SFTP, the network must allow traffic on port 22. However, static IP addresses are not supported for storage accounts, and this isn't an SFTP specific limitation. Internet routing isn't supported; instead, users must utilize Microsoft network routing. There is also a 2-minute timeout for idle or inactive connections, after which some clients will automatically reconnect.

    Other Limitations

    Several other limitations exist, including the following:
  • Maximum file upload size via the SFTP endpoint is 100 GB.
  • To change the storage account's redundancy/replication settings or initiate account failover, SFTP must be disabled and may be re-enabled once the conversion has completed.
  • Special containers such as $logs, $blobchangefeed, $root, $web are not accessible via the SFTP endpoint.
  • Symbolic links aren't supported.
  • SSH and SCP commands that aren't SFTP aren't supported.
  • FTPS and FTP aren't supported.
  • TLS and SSL aren't related to SFTP
  • Troubleshooting

    There are several troubleshooting steps to consider when encountering common errors, which involve ensuring prerequisites at the storage account level are met and checking that appropriate permissions have been assigned. Additionally, public network access settings and the firewall's allowance of the client IP address may need to be checked if connection errors are encountered. Understanding these limitations and potential issues can help users navigate the Azure Blob Storage SFTP service more effectively, allowing them to leverage its strengths while avoiding pitfalls. It is also important to keep in mind that Azure's offerings are continually evolving, and some of these limitations may be addressed in future updates.