Windows IIS FTP Server Configuration
I won’t be going into the details of the FTP server configuration here. I will just be going over the FTP firewall settings and set the Data Channel Port (Passive FTP Ports). Below is how the FTP server is configured to support the external load balancer. On the IIS server settings – FTP Firewall Support is where you define the Data Channel Port Range.
I have defined ports 5000-5002.
At the site, the level is where you configure the public IP address of the external load balancer.
As you see in the screenshot below the public IP of the external load balancer is configured.
Azure External Load Balancer
Configuring an Azure External Load Balancer for FTP is strait forward. One thing to note with Passive FTP is that all the Data Channel ports for FTP must be defined in the load balancing rules. If you define ports 5000-5100, there will be 100 load balancing rules for each data channel port. I recommend keeping the number of passive ports to a minimum since Azure External Load Balancers do not support a port range.
- Azure Public IP – this will be configured as the load balancer’s front-end IP
- Azure Load Balancer
- FTP Port requirements for inbound traffic and public IP address(es) of the client(s) that will be accessing the FTP server
Deploy the Load Balancer
Search for Azure Load Balancer in the search bar in the Azure Portal
Define the following parameters then select Next: Frontend IP configuration
- Resource Group
- Leave SKU: Standard
- Leave Type: Public
- Tier: Region
Select Add a frontend IP Configuration, define the following parameters
- Frontend IP Name
- IP version: leave IPv4
- IP type: leave IP address
- Public IP address
- Gateway Load balancer: leave None
Select Review + create – we will go over the configuration of the remaining items of the Load Balancer after it has been deployed.
Configuration of the Azure External Load Balancer
I will now go over the configuration of the Azure Load Balancer. This will detail how the Backend pool, Health probes, Load balancing rules, and Outbound rules are configured.
Frontend IP Configuration
As you see in the screenshot below, the frontend IP is defined by the rules associated with the front end. After additional load balancing rules are added I will review the frontend configuration again.
The backend pool configuration is how you associate a virtual machine with the load balancer. In the screenshot below, I use the following configuration
- Virtual network – the VNET that the target virtual machine is associated with
- Backend Pool Configuration: NIC
- IP Version: IPv4
- Add the virtual machine by selecting the +Add button
- Select Save
I have created an FTP Health probe for port 21. I will also be using this health probe for my FTP data channel ports. You can make a health probe for each data channel port.
- Name: FTP
- Protocol: TCP
- Port: 21
- Interval: 5
- Unhealthy threshold:2
Load Balancing Rules
I have the port 21 load balancing rule already configured but need to add the FTP data channel ports that I have defined in FTP Firewall (5000-5002).
Define the following parameters:
- Name: I like to give it the name of the port number, in this example, I will use 5000
- IP Version: IPv4
- Frontend IP address: Select your Frontend IP Config – FEIP
- Backend Pool: Select your backend pool – BEP-01
- Protocol: TCP
- Port: 5000
- Backend Port: 5000
- Health Probe: ftp (TCP:21)
- Session persistence: None
- Idle timeout (minutes): 4
- TCP reset: Disabled
- Floating IP: Disabled
- Outbound source network address translation (SNAT): (Recommended) Use outbound rules to provide backend pool members access to the internet
- Select Add
Here is the full set of Load Balancing rules:
There is a requirement to create an outbound rule for the back-end resource to be able to reach out to the internet.
Network Security Group Rules
The final step in configuring this solution is configuring the inbound rules for the NSG. The rule should have TCP ports 21 and the data channel ports defined in your FTP firewall (in my case, this would be 5000-5002).
Passive FTP via an Azure Load Balancer combined with Network Security Group is a great solution to expose your FTP server on the internet securely. Understanding the total possible number of connections at a single time will help determine the minimum number of passive data channel ports required to configure on the Azure External Load Balancer.