You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/firewall/ftp-support.md
+8-3Lines changed: 8 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -36,11 +36,16 @@ The following table shows the configuration required to support various FTP scen
36
36
> [!TIP]
37
37
> Remember that it may also be necessary to configure firewall rules on the client side to support the connection.
38
38
39
+
> [!NOTE]
40
+
> By default, Passive FTP is enabled, and Active FTP needs additional configured on Azure Firewall. For instructions, see next section.
41
+
>
42
+
> Most FTP servers do not accept data and control channels from different source IP addresses for security reasons. Hence, FTP sessions via Azure Firewall are required to connect with a single client IP. This implies E-W FTP traffic should never be SNAT’ed with Azure Firewall Private IP and instead use client IP for FTP flows. Likewise for internet FTP traffic, it is recommended to provision Azure Firewall with a single public IP for FTP connectivity. It is recommended to use NAT Gateway to avoid SNAT exhaustion.
|VNet-VNet |**Precondition**:<br>Active FTP is configured on Azure Firewall (see instruction below)<br><br>Network Rules to configure:<br>- Allow From Source VNet to Dest IP port 21<br>- Allow From Dest IP port 20 to Source VNet |**Precondition**:<br>SNAT is disabled for traffic between FTP client and server.<br><br>Network Rules to configure:<br>- Allow From Source VNet to Dest IP port 21<br>- Allow From Source VNet to Dest IP \<Range of Data Ports>|
42
-
|Outbound VNet - Internet<br><br>(FTP client in VNet, server on Internet) |Not supported *|**Pre-Condition**:<br>This scenario requires configuring Azure Firewall with a single Public IP address.<br><br>Network Rules to configure:<br>- Allow From Source VNet to Dest IP port 21<br>- Allow From Source VNet to Dest IP \<Range of Data Ports> |
43
-
|Inbound DNAT<br><br>(FTP client on Internet, FTP server in VNet) |**Precondition**:<br>- Active FTP is configured on Azure Firewall (see instructions below).<br>- This scenario also requires configuring Azure Firewall with a single Public IP address.<br><br>DNAT rule to configure:<br>- DNAT From Internet Source to VNet IP port 21<br><br>Network rule to configure:<br>- Allow **traffic from** FTP server IP **to** the internet client IP on the active FTP port ranges. |Tip: Azure Firewall supports limited number of DNAT rules. It's important to configure the FTP server to use a small port range on the Data channel.<br><br>DNAT Rules to configure:<br>- DNAT From Internet Source to VNet IP port 21<br>- DNAT From Internet Source to VNet IP \<Range of Data Ports> |
46
+
|VNet-VNet |Network Rules to configure:<br>- Allow From Source VNet to Dest IP port 21<br>- Allow From Dest IP port 20 to Source VNet |Network Rules to configure:<br>- Allow From Source VNet to Dest IP port 21<br>- Allow From Source VNet to Dest IP \<Range of Data Ports>|
47
+
|Outbound VNet - Internet<br><br>(FTP client in VNet, server on Internet) |Not supported *|Network Rules to configure:<br>- Allow From Source VNet to Dest IP port 21<br>- Allow From Source VNet to Dest IP \<Range of Data Ports> |
48
+
|Inbound DNAT<br><br>(FTP client on Internet, FTP server in VNet) |DNAT rule to configure:<br>- DNAT From Internet Source to VNet IP port 21<br><br>Network rule to configure:<br>- Allow **traffic from** FTP server IP **to** the internet client IP on the active FTP port ranges. |Tip: Azure Firewall supports limited number of DNAT rules. It's important to configure the FTP server to use a small port range on the Data channel.<br><br>DNAT Rules to configure:<br>- DNAT From Internet Source to VNet IP port 21<br>- DNAT From Internet Source to VNet IP \<Range of Data Ports> |
44
49
45
50
\* Active FTP doesn't work when the FTP client must reach an FTP server on the Internet. Active FTP uses a PORT command from the FTP client that tells the FTP server what IP address and port to use for the data channel. The PORT command uses the private IP address of the client, which can't be changed. Client-side traffic traversing the Azure Firewall is NATed for Internet-based communications, so the PORT command is seen as invalid by the FTP server. This is a general limitation of Active FTP when used with a client-side NAT.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments