2

I have an Azure Function that needs to access an external SMB file share that is hosted on port 445. The Azure Web App sandbox that Functions run inside of explicitly blocks port 445. Assuming I have no control over the external SMB file server, what can I do to allow the Azure Function to access the SMB file share?

enter image description here

Some ideas... which ones are feasible?

  1. Setup an outgoing port-forward from a non-blocked port (say, port 555) to external port 445. Then have my Function app target the non-blocked port.
  2. Expose the file server via a "Virtual Network". According to the docs, the 445 port block rule is ignored if the target network interface belongs to the app. Can I add a 3rd party host as an interface on my app's virtual network? How?
  3. Is there a proxy service I can install and run in my Azure environment that can expose the file share on a different port?

How should I approach this problem?

Kemmis
  • 131
  • 1
  • 2

2 Answers2

1

There's a reason they're blocking SMB access: It's not a safe and secure protocol to expose to the Internet. Really. You might recommend the third-party to stop exposing their server to risk in that way too, if you're on good terms with them.

Suggested solutions:
1. Create a VPN to the site where the SMB server exists and access the machine through an encrypted and secure tunnel.
2. Present relevant data from the server using a different protocol.

Mikael H
  • 5,179
1

The Azure Relay service enables you to securely expose services that run in your corporate network to the public cloud. You can do so without opening a port on your firewall, or making intrusive changes to your corporate network infrastructure.

The relay service supports the following scenarios between on-premises services and applications running in the cloud or in another on-premises environment.

  • Traditional one-way, request/response, and peer-to-peer communication
  • Event distribution at internet-scope to enable publish/subscribe scenarios
  • Bi-directional and unbuffered socket communication across network boundaries.

Azure Relay differs from network-level integration technologies such as VPN. An Azure relay can be scoped to a single application endpoint on a single machine. The VPN technology is far more intrusive, as it relies on altering the network environment.

https://docs.microsoft.com/en-us/azure/service-bus-relay/relay-what-is-it

Ken W - Zero Networks
  • 679
  • 3
  • 8