top of page
Writer's pictureALIF Consulting

Using Azure file shares in a hybrid environment

Updated: May 31

This architecture shows how to include Azure file shares in your hybrid environment. Azure file shares are used as serverless file shares. By integrating them with Active Directory Services (AD DS), you can control and limit access to AD DS users. Azure file shares then can replace traditional file servers.


USE CASE


  • Replace or supplement on-premises file servers. Azure Files can completely replace or supplement traditional on-premises file servers or network-attached storage devices. With Azure file shares and AD DS authentication, you can migrate data to Azure Files. This migration can take advantage of high availability and scalability while

  • Lift and shift. Azure Files makes it easy to "lift and shift" applications that expect a file share to store application or user data in the cloud

  • Backup and disaster recovery. You can use Azure Files as storage for backups or for disaster recovery to improve business continuity. You can use Azure Files to back up your data from existing file servers while preserving configured Windows discretionary access control lists. Data that's stored on Azure file shares isn't affected by disasters that might affect on-premises locations.

  • Azure File Sync. With Azure File Sync, Azure file shares can replicate to Windows Server, either on-premises or in the cloud. This replication improves performance and distributes caching of data to where it's being used.


Architecture


Azure file share in hybrid environment

The architecture consists of the following components

  • Azure Active Directory tenant. This component is an instance of Azure Active Directory (Azure AD) that's created by your organization. It acts as a directory service for cloud applications by storing objects that are copied from the on-premises Active Directory. It also provides identity services when accessing Azure file shares.

  • AD DS server. This component is an on-premises directory and identity service. The AD DS directory is synchronized with Azure AD to enable it to authenticate on-premises users.

  • Azure AD Connect sync server. This component is an on-premises server that runs the Azure AD Connect sync service. This service synchronizes information held in the on-premises Active Directory to Azure AD.

  • Virtual network gateway. This optional component is used to send encrypted traffic between a Virtual Network NAT and an on-premises location over the internet.

  • Azure file shares. Azure file shares provide storage for files and folders that you can access over Server Message Block (SMB), Network File System (NFS), and Hypertext Transfer Protocol (HTTP) protocols. File shares are deployed into Azure storage accounts.

  • Recovery Services Vault. This optional component provides Azure file share backup.

  • Clients. These components are AD DS member computers, from which users can access Azure file shares.

Recommendations

  • Use general-purpose v2 (GPv2) or File Storage storage accounts for Azure file shares

  • Use premium file shares for workloads that require high throughput

  • Use premium file shares for workloads that require high throughput

  • Consider using Azure File Sync with Azure file shares

  • Use a VPN if the port that SMB uses (port 445) is blocked

  • Always require encryption when accessing Azure file shares

Considerations


Scalability Considerations

  • Azure file share size is limited to 100 tebibytes (TiB). There's no minimum file share size or limit on the number of Azure file shares.

  • The maximum size of a file in a file share is 1 TiB, and there's no limit on the number of files in a file share.

  • Maximum I/O operations per second (IOPS) per standard file share is 10,000 IOPS and 100,000 IOPS per premium file share.

  • Maximum throughput for a single standard file share is up to 300 mebibytes/sec (MiB/sec) and 6,204 MiB/s for premium file shares.

  • IOPS and throughput limits are per Azure storage account and are shared between Azure file shares in the same storage account.


Availability Considerations

Azure file shares currently support the following data redundancy options:

  • Locally redundant storage (LRS): Data is copied synchronously three times within a single physical location in the primary region. This practice protects against data loss because of hardware faults, such as a bad disk drive.

  • Zone-redundant storage (ZRS): Data is copied synchronously across three Azure availability zones in the primary region. Availability zones are unique physical locations within an Azure region. Each zone consists of one or more data centres equipped with independent power, cooling, and networking.

  • Geo-redundant storage (GRS): Data is copied synchronously three times within a single physical location in the primary region using LRS. Your data is then copied asynchronously to a single physical location in the secondary region. Geo-redundant storage provides six copies of your data spread between two Azure regions.

  • Geo-zone-redundant storage (GZRS): Data is copied synchronously across three Azure availability zones in the primary region using ZRS. Your data is then copied asynchronously to a single physical location in the secondary region.


  • Premium file shares can be stored in locally redundant storage (LRS) and zone redundant storage (ZRS) only. Standard file shares can be stored in LRS, ZRS, geo-redundant storage (GRS), and geo-zone-redundant storage (GZRS).

  • Azure Files is a cloud service, and as with all cloud services, you must have internet connectivity to access Azure file shares. A redundant internet connection solution is highly recommended to avoid disruptions.


Security Considerations

  • Use AD DS authentication over SMB for accessing Azure file shares. This setup provides the same seamless single sign-on (SSO) experience when accessing Azure file shares as accessing on-premises file shares.

  • All data that are stored on Azure file share is encrypted at rest using Azure storage service encryption (SSE). SSE works similarly to BitLocker Drive Encryption on Windows, where data is encrypted beneath the file system level.

  • All Azure storage accounts have encryption in transit enabled by default. This setup means that all communication with Azure file shares is encrypted. Clients that don't support encryption can't connect to Azure file shares

  • By default, clients can connect to Azure file share from anywhere. To limit the networks from which clients can connect to Azure file shares, configure the Firewall, virtual networks, and private endpoint connections

Cost Considerations

Azure Files has two storage tiers and two pricing models:


o Standard storage: Uses HDD-based storage. There's no minimum file share size, and you pay only for used storage space. Also, you need to pay for file operations, such as enumerating a directory or reading a file.


o Premium storage: Uses SSD-based storage. The minimum size for a premium file share is 100 gibibytes, and you pay per provisioned storage space. When using premium storage, all file operations are free.


Extra costs are associated with file share snapshots and outbound data transfers. (When you transfer data from Azure file shares, inbound data transfer is free.) Data transfer costs depend on the amount of transferred data and the stock-keeping unit (SKU) of your virtual network gateway.



490 views0 comments

Recent Posts

See All

Comments


bottom of page