Guidance Required for Azure SFTP Architecture with Private Storage Account

Hello Sumit Gaur you can absolutely keep your Storage Account completely locked down on a private endpoint and still let a handful of external users SFTP in. In Azure there are two common “reverse‐proxy” patterns you can lean on:

Azure Firewall DNAT “hub-and-spoke” pattern • Deploy Azure Firewall in a central (hub) VNet with its own public static IP. • Peer or deploy your Storage Account’s private endpoint into that VNet (or into a spoke that’s peered to the hub). • On the Firewall create a DNAT rule: map inbound TCP/22 on the firewall’s public IP → the Storage Account’s privatelink.blob.core.windows.net:22 hostname. • Lock down the DNAT rule to only the source IP(s) of your external users. • All other traffic to the firewall or storage stays private.

Self-hosted SFTP gateway behind a Standard Load Balancer • Spin up a Linux VM (or Container Instance/AKS) in a VNet, mount your blob container via BlobFuse or Azure File via a private endpoint. • Drop a Standard Load Balancer in front, assign it a public IP and an inbound NAT rule on port 22 → your VM/Container. • Use NSGs on the VM/subnet or the LB’s built-in allow lists to lock down who can connect. • The VM or container simply proxies SFTP traffic onto the storage account over the private link.

Both patterns let you:

• Keep the Storage Account firewall set to “private endpoint only”
• Expose just port 22 on a single public IP that you can tightly restrict
• Use Azure-native components (Azure Firewall, Load Balancer, Private Link, NSGs)
• Monitor and log all inbound SFTP connections in Azure Monitor

https://learn.microsoft.com/azure/firewall/firewall-sftp?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider
https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider https://learn.microsoft.com/azure/storage/blobs/secure-file-transfer-protocol-support-how-to?WT.mc_id=Portal-Microsoft_Azure_Support
https://learn.microsoft.com/azure/storage/common/storage-network-security

Hope that gives you two turnkey, fully-Azure-native options to proxy external SFTP traffic into your private storage account! Let me know if you need more architecture diagrams or sample scripts.

Hello Sumit Gaur

Considering Azure's design constraints and service capabilities, Azure Storage Account (SFTP-enabled) does not offer a native reverse proxy pattern like HTTP/HTTPS services such as Application Gateway or Front Door. Since SFTP uses SSH (TCP port 22), most Azure Layer‑7 services are not built for this protocol. Although Application Gateway now supports TCP/TLS proxying, it is not generally suitable for SSH/SFTP and does not provide deep protocol support for SFTP traffic.

Therefore, Microsoft suggests exposing SFTP securely using network-level components, keeping the Storage Account behind a private endpoint.

The recommended Azure-native architecture is a hub-and-spoke model with Azure Firewall and DNAT (Destination NAT). In this setup, the Storage Account stays private and connects to a virtual network via a Private Endpoint. Azure Firewall, deployed in a central hub with a public IP, forwards approved SFTP traffic (TCP port 22) to the Storage Account using DNAT rules. Access is restricted by allowed source IPs, ensuring only authorized users can connect. This maintains privacy while enabling secure external access.

Another option is a self-managed SFTP gateway (VM or container-based) within a virtual network. Here, a Linux VM or container acts as the SFTP endpoint, exposed via a public IP (using a Standard Load Balancer). This gateway connects privately to the Storage Account and serves as a proxy. Access controls can be enforced using NSGs and firewall rules.

For best practices, public network access should remain disabled on the Storage Account, relying solely on Private Endpoint connectivity. Security can be strengthened with SSH key authentication and identity-based controls. Using centralized entry points like Azure Firewall improves visibility, logging, and auditing of SFTP traffic.

In summary, while Azure does not offer a managed reverse proxy for SFTP, these architectures are best practice:

• Azure Firewall with DNAT (preferred for management and security)
• Self-hosted SFTP gateway behind a controlled public entry point

Both methods keep the Storage Account private while securely allowing external SFTP access.

Check the below documents for more understanding:
https://learn.microsoft.com/en-us/azure/firewall/firewall-sftp

https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider

https://learn.microsoft.com/en-us/azure/storage/common/storage-network-security

https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insiderhttps://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support-how-to?WT.mc_id=Portal-Microsoft_Azure_Support&tabs=azure-portal

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Hello  Sumit Gaur

I just wanted to follow up and see if you had a chance to review my answer to your question. Please let us know if you found it useful, and don't hesitate to contact us if you have any further questions.

Hope the above answer helps! Please let us know do you have any further queries.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.