Loading...

Validating FTP traffic scenarios with Azure Firewall

Validating FTP traffic scenarios with Azure Firewall

Written by Gopikrishna Kannan (Head of Products: Azure Firewall and Firewall Manager)

 

Introduction:

The Azure Firewall is a cloud-native and intelligent network firewall security service that can be integrated into many different use cases. It’s a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability that provides both east-west and north-south traffic inspection.

This blog will discuss FTP scenario with Azure Firewall. FTP or File Transfer Protocol is  the most common use case for enterprise customers. FTP may be configured to run in active or passive mode, which determines how the data connection is established.

Azure Firewall supports both Active and Passive FTP scenarios.  Passive FTP mode requires FTP client to initiate connection to the server on a specified port range. Passive FTP is the recommended approach for E-W scenarios. In Active FTP mode, the server initiates connection to the client. This approach is typically deployed to support internet clients connecting to the FTP server running behind Azure Firewall and requires more than 250 DNAT ports (Azure Firewall DNAT rule limits) to be opened hitting load balancer limits. By default, Passive FTP is enabled, and Active FTP support is disabled to protect against FTP bounce attacks using the FTP PORT command.

 

Configuring Passive FTP mode for E-W traffic:

In this setup, I created the environment below with two directly peered VNETs. Client is hosted on 10.5.0.0/24 subnet and server is in 10.1.1.0/24. Both client and server is running Windows Server 2019 and configured to route traffic to the Azure Firewall. Azure Firewall is configured to allow traffic to the FTP server 10.1.1.6 on port 50000-52000, port 20 & 21.

 

ShabazShaik_1-1689928542772.png

 

Server 10.1.1.6 is running FileZilla FTP and configured to allow passive FTP on port 50000-52000.  I created a temporary user with permission to read/write to the FTP server on a specific directory.

 

ShabazShaik_2-1689928542777.png

 

ShabazShaik_3-1689928542779.png

 

Running the test: On the client, I launched file explorer and ran the command to connect to FTP server 10.1.1.6.

 

ShabazShaik_4-1689928542781.png

 

I validated the scenario by copying all the files in the directory and checking the Firewall logs.

 

ShabazShaik_5-1689928542785.png

 

You can also review FTP transactions on the FileZilla Server administration interface.

 

ShabazShaik_6-1689928542789.png

 

Validating Active FTP mode for internet traffic:

In this scenario, the client is connecting from the internet to the FTP server 10.1.1.6 running behind Azure Firewall. The Firewall is configured to allow DNAT Firewall Public IP on port 21 to FTP server 10.1.1.6. Server 10.1.1.6 has complete access to outbound internet traffic.

 

ShabazShaik_7-1689928542790.png

 

 

You should enable Active FTP support on Azure Firewall. The simplest way to do this is to export the Firewall template and redeploy with the additional properties updated to allow Active FTP.

 

ShabazShaik_8-1689928542791.png

 

 

On the internet client, disable Passive FTP (links to instructions are provided below) before launching explorer to start FTP session to the Azure Firewall Public IP. Provide the user credentials and start file transfer by copying the remote folders to your desktop.

 

ShabazShaik_9-1689928542793.png

 

Additionally, you can verify the Firewall logs and the FileZilla server to debug transactions errors.

 

ShabazShaik_10-1689928542797.png

 

Conclusion:


This covers validating FTP scenario using Azure Firewall. We want to hear from you. Please share your experience and any feedback. Follow the links below to learn more about FTP and help with setup.

 

File Transfer Protocol - Wikipedia

Azure Firewall FTP support | Microsoft Learn

FileZilla - The free FTP solution (filezilla-project.org)

(537) Filezilla FTP Server Setup for Windows - YouTube

Passive FTP Mode: Enabling / disabling in Internet Explorer (dynabook.com)

Published on:

Learn more
Azure Network Security Blog articles
Azure Network Security Blog articles

Azure Network Security Blog articles

Share post:

Related posts

Fundamentals of Azure DevOps with SQL projects

Building automated pipelines with your SQL database projects enables you to build a rich CI/CD ecosystem to ensure that your application is be...

1 day ago

Upcoming Change: NTLM Removal in Git (libcurl) – Impact to Azure DevOps Server Customers

Overview In September 2026, NTLM support will be removed from libcurl, which is used by Git for HTTP(S) operations. As a result, Git operation...

1 day ago

What’s new across Microsoft SQL in 2026 so far (SQL Server, Azure SQL, and SQL database in Fabric)

We’re halfway through 2026, and Microsoft SQL has not slowed down. Since SQLCon/FabCon in March (where we released a ton of things, and those ...

2 days ago

Power Automate Flow — HTTP Trigger to Azure OpenAI

Build the secure Power Automate HTTP trigger flow that receives free text from the portal, calls Azure OpenAI using your smart-form-extract de...

4 days ago

Spring AI 2.0 is GA: Vector Search, Memory, and Agents on Azure Cosmos DB

The wait is over. Spring AI 2.0 is generally available, and Azure Cosmos DB is right there with it. With this release, Spring AI graduates int...

4 days ago
Stay up to date with latest Microsoft Dynamics 365 and Power Platform news!
* Yes, I agree to the privacy policy