Exciting Article Updates! February 24, 2020
*Azure News Update: Azure Files AD Integration for SMB access using Active Directory Domain’s managed by customers, is now available in preview.
We have updated our our Azure MyWorkDrive Image in the marketplace to allow it to easily join an existing Windows Active Directory Server that will further simplify the process!
Looking to migrate Windows File Shares to cloud file storage? You’re not alone!
Businesses of all sizes have been searching for the right mix of technologies that will allow them to migrate their on-premise file shares to cloud file storage.
For small businesses and startups, services like Dropbox, Box, Egnyte and SharePoint are a good alternative.
For larger businesses, governments, higher education and compliance restricted firms, migrating away from private cloud file storage under their own control requires significant planning.
Larger companies are concerned about the loss of file ownership, data sovereignty, compliance, ongoing costs and navigating costly and complex migrations.
These businesses are considering migrating their file shares to cloud file storage so that they can outsource the management of servers and infrastructure while still desiring to maintain control of their company files and sidestepping the software vendor lock-in associated with EFSS.
Until now they could meet some of these requirements with costly Enterprise File Sync and Share (EFSS) systems on-premise however they were still stuck managing complex migrations, having new databases to manage and license and re-inventing long term backup and data retention plans.
These businesses have been searching for a simple alternative cloud file storage sharing option that provides the same benefits of traditional mapped drives, fast local speeds and secure file remote access.
The technologies to enable cloud-based file server file shares are now converging with all the components needed to make this dream a reality!
In this article, we will explore the components needed to provide full cloud-based file sharing services and the current state of each as they relate to Microsoft Azure.
Active Directory Domain Service
Currently, with Microsoft Azure, enterprises have a mix of alternatives for authentication including Azure AD, Azure AD Domain Services and Active Directory Virtual Machines.
Azure AD is the backbone of Azure Authentication and is used for not only Azure services but office online as well. Typically, companies use Azure AD sync to synchronize their local Active Directory with Azure AD to provide a single sign on experience.
Larger organizations may also federate with Azure AD using ADFS. Azure AD itself is currently incomplete as a standalone directory service and cannot provide the level of control and management that enterprises require.
This is why customers maintain their own Active Directory Servers and sync or federate them to Azure AD so they can take advantage of single sign on and other services such as Azure Multi Factor Authentication when using Azure AD as their SAML Identity Provider (IDP).
Azure AD Domain Services
Azure AD Domain Services (not to be confused with Azure AD), is an option to host active directory services within Azure with some limitations. Azure AD Domain Services provide what is essentially an Organizational Unit (OU) hosted by Microsoft Azure with full redundancy built in.
Currently to migrate to Active Directory from on-premise machines to Active Directory, customers must use Azure AD as an intermediary – The customer’s Active Directory is synced to Azure AD, then from Azure AD it’s synced to Azure Active Directory.
There are some important differences between Azure AD Domain Services managed domains and self-managed Active Directory domains detailed here. Microsoft recently updated Azure AD Domain Services to permit resource based constrained delegation which is important for those firms wishing to allow single sign on SAML experience with customer applications and added group policy support.
Active Directory Virtual Machines
Customers may also run and manage their own Active Directory servers in Azure as a virtual machine.
This option requires managing and maintaining multiple domain controllers in separate regions connected by VPN links to ensure availability and redundancy. Customers must also manage backups and windows updates on these Virtual Machines which may reduce the value proposition for those firms looking to go all in with a cloud option.
These firms do still have the benefits of redundancy, outsourcing management of hardware infrastructure and retain ownership and management of their AD domains. Microsoft has detailed important considerations when deploying Active Directory Domain Controllers as virtual machines.
Microsoft Azure File Shares (AFS) are hosted SMB accessible file shares hosted by Azure.
By utilizing Azure File Shares, companies are relieved of the responsibility of maintaining windows file server-based file shares. Initially Azure File Shares did not support NTFS Permissions and could not be part of Active Directory. Microsoft recently added the ability to connect AFS to Azure Active Directory Domain Services for authentication.
*Unfortunately, up until now, Azure File Shares may not be joined to Active Directory managed by customer’s own servers and AFS did not support Delegation/Impersonation which is essential should any firms wish to connect to files shares with SAML for single sign on or Multi Factor Access.
*Azure News Update: Azure Files Azure AD Integration for SMB access using Active Directory Domain’s managed by customers, is now available in preview.
Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard SMB protocol. Integration with Azure AD enables SMB access to Azure file shares using Azure AD credentials from Azure AD DS domain joined Windows VMs.
In addition, Azure Files supports preserving, inheriting, and enforcing Microsoft file system NTFS ACLs on all folders and files in a file share. Azure Files Active Directory integration using customers own domain controllers is in preview in selected Azure production regions. Read more about the benefits of Azure Files Active Directory Integration and follow this step by step guidance to get started.
**Azure File Shares also had a file share size limitation of 4 TB. This has been recently increased to now support up to 100 TiB capacity, 10K IOPS, and 300 MiB/s throughput!!
AFS has built in capabilities including integrated backup and the ability to sync AFS to multiple locations using Azure File Share sync.
With Azure File Share Sync multiple locations can be sync’d from on-premise to AFS and remote locations. Using Azure File Share Sync is another alternative to connect AFS to customer’s own Active Directory since NTFS ACL’s are syncd in addition to files and folders.
Azure NetApp Files Service
Azure NetApp Files (ANF) is a new option for storing enterprise SMB and NFS files in Azure via a bare-metal all-flash infrastructure, powered by NetApp. Just coming out of preview, ANF is scheduled to be released to full production on May 28th,2019.
With ANF, customers may host file shares in Azure with higher performance and Active Directory managed by customers on their own virtual machines.
Since ANF shares are part of active directory, delegation and impersonation may be enabled – an important consideration for enterprises looking to enable SAML Single Sign On and multi factor authentication using another IDP such as Azure AD.
Currently Azure NetApp Files does not have an integrated backup solution.An additional server which can back up shares over SMB (such as Commvault) will be required. Integrated backup and snapshot scheduling are features slated for release by end of Q3 2019.
Azure NetApp Files is a premium experience suitable for enterprises of any size. The onboarding and registration pages for Azure NetApp Files are located here.
Secure Remote File Access
To map drives remotely to Azure File Shares or Azure NetApp Files Service requires connecting to ports 445 and 139 over SMB protocol which are only accessible from the same local area network or via VPN.
Microsoft documentation is frequently interpreted to mean this is an option for accessing files remotely via SMB ports, but those ports are normally blocked on nearly every firewall and service out there due to security/malware concerns.
Businesses will need to maintain VPN tunnels from Azure to each location (and pay for usage and bandwidth) as well as VPN gateways for users to access files on the go.
Since SMB Shares are made available directly over VPN these shares are subject to the same security and ransomware concerns as file shares on-premise.
As an alternative to VPN, MyWorkDrive can be enabled in Azure as a virtual machine to provide secure azure cloud storage gateway access to Azure File Shares or Azure NetApp file shares over port 443 (SSL) with a mapped drive, web browser and mobile clients.
Instead of using VPN’s, end users may access files over port 443 with built in the security and intelligence (such as blocking files by size and type) not available in traditional VPN solutions.
With MyWorkDrive files remain stored and backed up on AFS or ANF shares providing a complete cloud file server solution without managing and maintaining traditional file servers or active directory on-premise.
The customer maintains control of their file shares and they remain in native NTFS format which may be backed up and stored in long term archives to meet retention requirements indefinitely without vendor lock-in ransomware concerns.
Rob Schenk of Intivix.com, a co-founder of MyWorkDrive notes: “As a long-time Microsoft partner and co-founder of an IT consultancy, I’ve recently seen a significant uptick in security compromises and ransomware infections across the industry. I’m happy that that the security model utilized by MyWorkDrive significantly reduces the attack footprint helping our clients be less susceptible to security intrusions.”
– Rob Schenk, Co-Founder and CEO Intivix
Migrating to File Shares to Azure is an important planning consideration when designing an Azure based cloud file storage share solution.
In addition to migrating files, enterprises will want to plan files types that require LAN speeds such as design files and databases. These file types cannot be safely opened over the WAN. For smaller firms with supported file types, traditional file copy migration tools such as Robocopy may suffice.
NTFS permissions may be copied with files since both Azure File Shares and NetApp File Shares support ACL’s. For larger customers consider using Azure File Share Sync or NetApp Cloud Sync. NetApp cloud sync customers utilizing the new Azure NetApp File Service may obtain a free license for a limited time from NetApp.
Conclusion & Recommendation
The current state of cloud file storage for Windows-based organizations in Azure is continuing to evolve at an accelerated pace.
While Azure File Shares lacked the ability to connect directly to customer managed active directory servers this is now in preview. The 4TB share size limit and limited Single Sign On/SAML authentication options have now been lifted.
For any organization, a combination of Azure File Shares, Azure File Share Sync, Azure AD Domain Services and MyWorkDrive would be a good choice although a bit complicated since AFS does not yet integrate with Active Directory natively Azure File Share Sync must be used to place ACL’s on files.
When Azure File Shares goes live with Active Directory Integration which is currently in preview as of this article posting date, the setup process will be streamlined and require only a simple install of our MyWorkDrive Server.
On January 13th, 2020 We have updated our our Azure MyWorkDrive Image in the marketplace to allow it to easily join an existing Windows Active Directory Server that will further simplify the process.
For larger organizations who need larger file shares and higher performance, Azure NetApp Files connected to VM based Active Directory Domain Controllers and MyWorkDrive may a better alternative.
Azure NetApp Files customer will need to keep in mind they will need to deploy and manage a separate backup service or appliance until Azure NetApp Files provides an integrated backup solution some time later this year.