We’re pleased to announce a public preview of our Key Vault references feature, which you can learn more about here: https://azure.microsoft.com/en-us/blog/simplifying-security-for-serverless-and-web-apps-with-azure-functions-and-app-service/
There are some limitations to the initial preview, but we’re hoping to address those very soon. We’re looking forward to your feedback!
Matthew, Azure Functions team
Thanks for the feedback! We are interested in collecting feedback on this request – please vote for it if this is something you like to see.
We’re also interested in learning more what people want to use the SFTP/FTPS for and which protocol they prefer. Please feel free to leave us a comment letting us know more detail!
Program Manager, Azure Files
Firstly I just want to point there is a duplicate of this suggestion under "additional services"!
To add my thoughts around this:
We have a multi-tenant web based system for financial companies, one database per client. Part of our requirement is that we receive files from our clients and other 3rd parties which usually but not exclusively contain financial data which we then load automatically into the client's individual database.
At the moment we have an SFTP product which is on a VM which for historical reasons is not hosted within Azure (it could be). We have one login per-client/per 3rd party. In other words one 3rd party data supplier may supply data for more than one client and each client may have one or more additional logins of their own. Each of these logins will put files into a separate physical folder to avoid intermingling client data. The server is also IP restricted.
We have multiple processes in Azure that poll the SFTP server for a particular login/folder (for security we may have separate read/write logins for the same folder). When a file is found it is "downloaded" to local or blob storage and then processed. Some of these processes are "per client" because they have specific requirements; some are generic and run across multiple clients (i.e. they have some common file being received). Clearly separation is important for the process that handles multiple clients/tenants.
So some of the things I would personally like to see are:
- SFTP as a service (i.e. no requirement for installing on a VM).
- IP restrictions (for keeping track of why we add an allowed IP/IP range it is important that each restriction can at least have a text description).
- Our current server can't do this but I would like to see IP restriction associated with a login or group of logins. The server would reject incoming connection if the IP address isn't listed for any login. If the connection passes that restriction then there would be a second check to make sure the login comes from an IP associated with it.
- Multiple logins
- Files go to blob storage
- Each login can write to a different blob container.
- Possibly logins could be grouped which would allow:
* Setting up of the same IP restrictions across a group of logins.
* Associating a single blob container with a group of logins if desired.
- When a file is transferred it would be great to be able to trigger an action in Azure. Possibly via a queue or some sort of notification (which would save polling). Ideally triggers could be configured at a general, login group or individual login level. The queue entry/event would tell us the date/time, login name, group name(s) (if applicable) and the file name and blob location.
- Obviously security is important so perhaps encrypting the files on blob storage and having a mechanism to decrypt using Key Vault or something similar.
- From the sending side it would be good if we could add a file to the SFTP server for an external 3rd part to pick up just by adding it to a Blob container (i.e. bypassing the need to use the SFTP protocol "internally" if we want to).
- Personally I am only interested in SFTP!
This suggestion should probably be in the "Additional Services" category.
I quite agree with this - SFTP would be a really good way of getting files in and out of Azure in a secure way with good interoperability. Ideally PaaS rather than having to set up a VM.
I can foresee a few useful things like the files being stored in blob storage. Event triggering (queue?) when a file is received - making it possible to trigger a function, logging to Azure tables etc. etc.
Thank you for you feedback. Currently we are in public preview of Azure Active Directory authentication for storage. This feature set allows you to use Azure’s role-based access control framework to grant specific permissions to users, groups and applications down to the scope of an individual blob container or queue. You can see the public preview announcement here: https://azure.microsoft.com/en-us/blog/announcing-the-preview-of-aad-authentication-for-storage/
For any further questions, or to discuss your specific scenario, send us an email at firstname.lastname@example.org.
386 votesunder review · 3 comments · Cloud Services (Web and Worker Role) · Flag idea as inappropriate… · Admin →