Deploying Azure Files

Deploying Azure Files

February 20, 2023 Off By Randy Bordeaux

Now that we have gone through the due diligence and planned out our Azure files deployment, we can get started on the deployment phase. Before we do that, let’s summarize what we are going to do

1.      Setup Azure files (SMB) to replace an existing file server

Sounds simple but remember we have already gone through the planning phase and made sure this will work with our network and ISP. Here we go!

Setting up the storage account is our first step, (we are assuming you already have an Azure subscription) we want to login to https://portal.azure.com. We are looking for the storage blade.

This will take us over to the storage blade, and we can click + Add to start creating our storage account. This is pretty self-explanatory but let’s walk through it. The subscription is where it will get billed to. This is usage-based, so your billing will reflect on how much you use. In some cases, you may have multiple subscriptions and will need to select which one you want to use. The resource group is next. This is a pet peeve of mine. The resource group you use can either help you or just clutter things up. If you create a resource using a quick start, then it will create a new resource group. That is not needed. The resource group is just a way to organize things. Try to name them appropriately. Here I am using a resource group called production. For my needs that works great, as there are a lot of lab environments that get built. When I do a lab environment, I use CompanyName-lab to show what it is and who it is for.

Name your resource groups appropriately!

Now we can move on to naming our storage account. For this try to make it something you will be able to identify its use. In some cases, you may want to create different storage accounts for the different departments. You can do this, or you can create the file shares within one storage account. It is more personal preference than anything else. There is no cost to having different storage accounts, it is only based on usage. Once we have that we can move to the location, this is what region you will have your data in. try to pick one that is geographically close to where you will be using it. This can reduce the latency the users will experience.

Now is where we get to some important questions. The performance will drastically increase your cost. Typically, standard will work for a file server. If you are setting up a virtual machine with a premium disk, it will create a storage account with premium performance. For our purpose we will be using a general purpose v2 account with locally redundant storage in a hot tier. This will allow us the greater functionality and we will be using it for file shares.

Networking

This will be used on all networks, and we are going to use the Microsoft network routing. If you want to set this up for only a specific office to access, then you could make it only available to selected networks.

Data Protection

We want to make sure we can restore file shares in case one of the admins deletes them. You can set this or not. It really depends on how you protect your data. I want to have 30 days before the file share will be gone forever. This is NOT a replacement for a good backup.

This is NOT a replacement for a good backup!

Advanced

With the advanced settings, we can change the access to the storage account. This is a common cause of people not being able to get to a file share. If you disable blob public access it won’t matter if you give them access to the file share. It will still block it. This can lead to hours of frustration as you try to get it working. So, you should leave these as they are. You can always change things later if you need to.

Tags

Tags, tags, tags!!
They are your friend.

They will be your best friend. You can use them to categorize resources or consolidate billing.

I always use a few basic tags. This allows me to see if it is a production or lab environment, who is in charge of the resource, and who should be billed for it. These can be set to anything you might need.

Review/Create

Now that we have everything set, you will let Azure review the settings and create it.

Creating the File Share

Here we can see the storage account has been created. From here we still need to create the file shares. This is just a storage account and can be used for a variety of things.

We want to create a file share within the storage account.

Let’s select the File Shares, and click on +File Share. This will open a New file share window on the right. One thing to remember is that the name of the file share will always be lowercase with no spaces. The Tiers will determine your pricing for data at rest and transactions.

When you are ready, you just click Create. Then you can see the different file shares you created.

This is all it takes to get Azure files setup. Now you can migrate your data into the file share. To connect to it, just click on the file share and click Connect. Then you can select the drive letter you want, and Azure will generate the script to map the network location for you. This can be run by any user and does not require admin.

With this setup, you do not yet have access control. For that, we would need to set up Azure AD Domain Services. Then we can control the file shares with Azure AD groups. You can still map the file shares using a script. If you need this to show up everytime, you could even use a scheduled task or a GPO to accomplish it.

The script is provided by Microsoft when you click on Connect.

$connectTestResult = Test-NetConnection -ComputerName STORAGEACCOUNTNAME.file.core.windows.net -Port 445
if ($connectTestResult.TcpTestSucceeded) {
    # Save the password so the drive will persist on reboot
    cmd.exe /C "cmdkey /add:`"STORAGEACCOUNTNAME.file.core.windows.net`" 
/user:`"localhost\STORAGEACCOUNTNAME`" 
/pass:`"REDACTED""
    # Mount the drive
    New-PSDrive -Name Z -PSProvider FileSystem -Root "\\STORAGEACCOUNTNAME.file.core.windows.net\FILESHARENAME" -Persist
} else {
    Write-Error -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port."
}

I hope this has been insightful, and let us know what issues you ran into in the comments!