SMB access to on-premise resource from Azure Web App via Virtual Network

2.5k views Asked by At

We have a setup where we have both VMs and Web Apps in Azure connected to our on-premise resources via a point-to-site virtual network.

We have an folder on premise with access to Everyone open (both on the share and NTFS) and the Azure VMs that are on that virtual network are able to browse to the share without difficulty.

The web apps are not able to access them however.

I'm assuming the following line in this article explains the reason, but I'm looking to confirm this is not possible:

The work required to secure your networks to only the web apps that need access prevents being able to create SMB connections. While you can access remote resources this does not include being able to mount a remote drive.

Coming out of the logs from the attempt from the website to access it:

enter image description here

Taking the C# code out of the picture, trying to get the directory listing from the powershell console on the web app:

enter image description here

I've also tried this with Hybrid Connections, and am getting closer - once it's setup and attached to the Web App, I'm able to tcping the SMB port from the powershell console (which is further than I can get when using the VNET), but it's still unable to list a directory:

enter image description here

Any thoughts? Anyone doing anything similar?

1

There are 1 answers

2
Aleks B On BEST ANSWER

The tcping result is actually misleading - you are really pinging a local port hosted on your web app (hence why the tcping has results of ~1ms). Tcping doesn't actually test the full tunnel for Hybrid Connections because the tunnel is a TCP level data relay only (that is, it does not send TCP headers, etc., over the tunnel, only payload) and tcping does not send any data, only simply verifies that the TCP handshake succeeded.

Unfortunately, the article is correct - SMB will not work at all in your Web App. There are security layers in place that will block the attempt.