Azure SMB: Accessing File Shares in the Cloud

Organizations have traditionally relied on the Server Message Block (SMB) protocol for use cases such as file share access, network printing, interprocess communication, etc. As a term, it is often used interchangeably with CIFS, which is a dialect or a version of SMB. With the advent of cloud services, there has been a rising demand for using the SMB protocol alongside cloud file sharing services, in both cloud-only as well as hybrid architectures.

Azure Files offers native cloud file sharing services based on the SMB protocol. Cloud Volumes ONTAP is another popular service that is available in Azure that allows you to create shares that can be accessed not only over SMB/ CIFS, but also via the NFS protocol. In this blog we will explore options for accessing file shares in Azure through SMB and how Cloud Volumes ONTAP can help you meet these and many more requirements.

What Is Server Message Block?

The SMB protocol was originally created by IBM as a client-server protocol for accessing shared files, printers over network, and for enabling inter-process communication. Multiple versions of the protocol, commonly called dialects, were created over time to meet changing network requirements. The protocol works at the application layer and can communicate on port 445 over TCP/IP.

CIFS is an implementation or dialect of SMB developed by Microsoft for Windows systems. Developed mainly for file sharing, CIFS supports functionalities that include discovering other SMB servers in the network, protocol dialect negotiation, file attribute management, locking, and notification. SMB can also be used in Linux systems by installing SAMBA, an open-source implementation of SMB.

SMB 3.1.1 is the latest version of the protocol and it offers several advanced features such as cluster dialect fencing, an advanced cryptographic algorithm (AES-128-CCM & AES-128-GCM), support for SMB encryption, and improved pre-authentication integrity using SHA-512.

ONTAP 9.5, the software used in Cloud Volumes ONTAP supports up to SMB 3.1.1 starting from SMB 1, though the functionalities supported will vary across the versions. This enables organizations to use the SMB version of their choice based on security mandates. In addition to the strong security provided by SMB, file shares created in Cloud Volumes ONTAP benefit from storage efficiency features that can reduce the storage footprint and cost in Azure by 50-70%.

SMB Share Access

The SMB protocol allows clients to access shared files on a remote server through a set of requests sent between the client and the server via data packets. These include mainly session control packets and file access packets. While session control packets are important to establish a connection to the remote server, file access packets are used to access the data in the server. SMB also uses general message packets for data management in use cases like remote printer, mail slots, and named pipe access.

SMB Access Permissions

SMB uses user-level and share-level security for authenticating file shares. User-level security is a username-password based authentication mechanism. It allows administrators to control which users and groups have access to specific shares. In share-level security, access to shares is controlled using a password assigned at the share level. It does not require a user-level authentication to permit access.

While using Cloud Volumes ONTAP, configuration management of the environment can be done from the single pane console of NetApp Cloud Manager or with the use of API calls. The CIFS security configuration can be done easily from Cloud Manager using the CIFS setup wizard or through APIs, where you can use either Windows Active Directory or workgroup configuration in environments without AD. While using Windows AD, you can use your existing user accounts in the AD to authenticate to shares created in Cloud Volumes ONTAP.

Authentication in Azure

Authentication for resources in Azure uses the RBAC model for management plane or portal-level access. However, individual services hosted in Azure, including SMB, have their own authentication mechanisms. The preferred method for authentication of applications in Azure is through Azure Active Directory. It is a cloud-based identity as a service offering from Azure that can be integrated with a wide variety of applications hosted in cloud as well as in your corporate network.

Azure AD Domain

When you sign up for an Azure cloud subscription, an instance of Azure AD is provisioned for you, which is called an Azure AD tenant. A dedicated Active Directory that has a domain name in the format <domainname> is assigned to each tenant. All users, groups, and applications linked to your organization’s Azure AD tenant will be part of this Azure AD domain. You can use custom domain names with Azure AD, where users can be created in Azure AD with your organization’s domain name.

Azure AD Authentication

Azure AD implementation is different from the traditional Windows Server Active Directory implementation. While Windows AD uses Kerberos and NTLM for authentication, Azure AD uses protocols including SAML and OAuth 2.0, which mainly target cloud-first applications. NetApp Cloud Manager is given custom roles and permissions in Azure through an Azure AD service principal. In this way the service principal enables the management of Cloud Volumes ONTAP through Cloud Manager RESTful API service calls. This gives customers a seamless management experience, where the provisioning and management of SMB shares can be done using a few clicks from the Cloud Manager or simple commands over the API.

Azure Files

Azure Files is the managed file share in the cloud that can be accessed over Server Message Protocol (SMB) from on-premises as well as cloud-based machines. The file shares can be directly provisioned from the Azure portal, without going through the trouble of provisioning an entire infrastructure to host the shares. It is a cross-platform service, where the shares can be accessed from Windows, Linux, or MAC OS, provided that they support SMB.

Azure Files also supports deployment in hybrid architectures, where you can synchronize your Azure File shares to on-premises Windows servers using Azure File Sync. This is helpful in high latency or low bandwidth scenarios, where the local share acts as a cache of your data in the cloud for easy access. It can also act as a DR solution for your on-premises file shares. Cloud Volumes ONTAP enables DR of SMB shares using an automated failover and failback DR processes through SnapMirror® technology.

Azure Files Share Access

Azure Files uses SMB 3.0 and HTTPs for secure data access. You can also make REST API calls from your applications to a hosted Azure Files share. Authentication to Azure files is done using shared access signature (SAS) tokens while accessing the shares over REST API. For accessing over SMB, authentication is done using storage access keys. The drawback here is that anyone having storage access keys can access the file share, which is a level of transparency that a security audit might be concerned with.

Cloud Volumes ONTAP on the other hand supports AD-based authentication for the file shares hosted in the service, so that customers can have fine-grain control over who has access to specific shares and files provisioned using the service.

Conclusion: Get More with Cloud Volumes ONTAP

Customers need to evaluate and gauge the various decision parameters like security, accessibility, and storage economy while selecting the right SMB service in Azure. Cloud Volumes ONTAP offers a unique value proposition where it can also be integrated with on-premises storage system or used as a standalone solution in the cloud. While protecting your data through NetApp’s signature snapshot technology, it also ensures that the data is highly available through its dual mode deployment option.

New call-to-action