Azure File Sync for a Hybrid Environment

I’ve configured Azure File Sync in my home lab quite a few times, and the setup is pretty straightforward. By default Azure File Sync will send data over the internet, which although it is encrypted (if you have set it up) is not ideal. Below is a step by step guide in setting up Azure File Sync with private endpoints and to ensure the data flows over a VPN.

In the following scenario we already have the following setup:

  • VPN from on-premise into Azure
  • Storage account to and Azure file
  • Subnet for the Private Link Endpoints
  • Storage account to and Azure file share
  • On-Premise file share

Storage Sync Service

First we need to create a Storage Sync Service, which in itself is a little strange as you need to go to the marketplace and its called Azure File Sync:

Click create, and add the resource group, stroage sync service name and region, add any tags and create:

Add a sync group, this will contain the cloud endpoint (File share) and server endpoint (on -premise file server). Give the sync group and name and select the storage account and file share created previously, and click create.

Once the sync group has been created, you will notice the cloud endpoint has already been created.

Before installing the server endpoint we are going to create the Private Link Endpoints, which will associate an IP address with the storage account and each of the File Sync services..

At the top of the screen type Private Link Center, once the page loads, click on the Private Endpoints on the left hand side.

We will be adding 2 Private endpoints, one for the storage account and one for the storage sync service. For the first you add the resource group, name and region.

Next we need to add the resource type, resource and target sub-resource. In the below screenshot you can see I have selected Microsoft.Storage/storageAccounts as the resource type. It is important to make sure you select the correct storage account and target sub-resource.

On te configuration page, select the VNet and subnet which will contain the Private Endpoint IP addresses.

Once you have added any tags you can click create.

Next is to create another Private endpoint for the Storage Sync Service,. The steps are the same as above except on the resource page you select Microsoft.StorageSync/storaageSyncService as the resource type, select the Storage Sync Service as the resource and AFS as the target sub-resource.

Before moving to the server endpoints we have two last steps, first is to obtain the FQDN and IP address for the storage endpoint and each of the Storage Sync Service services. The best place to get these is to Private DNS Zones:

First we will get the Storage private endpoint FQDN and IP address. Click on Privatelink.file.core.windows.net, and then the storage account name:

Take a note of the name and IP address:

Do the same for the Private Link Endpoint services, note there will be 4 of these, so make sure you capture the name and IP details of each one.

Before adding the details captured above as DNS entries you need to remove “privatelink” from the FQDN.

Before:

  • acuksstorage001.privatelink.file.core.windows.net 10.0.1.4
  • ac-uks-storagesyncservmanagement.uksouth.privatelink.afs.azure.net 10.0.1.5
  • ac-uks-storagesyncservmonitoring.uksouth.privatelink.afs.azure.net 10.0.1.8
  • ac-uks-storagesyncservsyncp.uksouth.privatelink.afs.azure.net 10.0.1.6
  • ac-uks-storagesyncservsyncs.uksouth.privatelink.afs.azure.net 10.0.1.7

After:

  • acuksstorage001.file.core.windows.net 10.0.1.4
  • ac-uks-storagesyncservmanagement.uksouth.afs.azure.net 10.0.1.5
  • ac-uks-storagesyncservmonitoring.uksouth.afs.azure.net 10.0.1.8
  • ac-uks-storagesyncservsyncp.uksouth.afs.azure.net 10.0.1.6
  • ac-uks-storagesyncservsyncs.uksouth.afs.azure.net 10.0.1.7

We can now go to the storage account, networking and Private endpoint to ensure the Private Endpoint has been created.

Going to the Firewall and Virtual Networks on the storage account, select “Selected Networks” but do not add any networks.

Lastly step is to run the following script in Azure Powershell which forces all traffic over the VPN and not the internet, replacing the resource group name and Storage Sync Service in the top 2 lines.

$storageSyncServiceResourceGroupName = "<storage-sync-service-resource-group>"
$storageSyncServiceName = "<storage-sync-service>"

$storageSyncService = Get-AzResource `
        -ResourceGroupName $storageSyncServiceResourceGroupName `
        -ResourceName $storageSyncServiceName `
        -ResourceType "Microsoft.StorageSync/storageSyncServices"

$storageSyncService.Properties.incomingTrafficPolicy = "AllowVirtualNetworksOnly"
$storageSyncService = $storageSyncService | Set-AzResource -Confirm:$false -Force -UsePatchSemantics

Finally on to the Server Endpoint. Download the FileSync agent from here, and run the installer. During the installation you can select automatic updates, and a proxy if required. Once the installation is complete, log in with your Azure credentials.

Select the Azure Subscription, Resource Group and Storage Sync Service created previously.

Final step is to go back to the Storage Sync Service in Azure, and to the Sync group. Select Add Server Endpoint at the top of the screen.

Add the registered server, share path and cloud tiering requirements.

Once its finished processing, the health should turn green, and thats it all done.

Setting up File Sync to run over a VPN/ExpressRoute does take a bit of configuration, but its well worth it to ensure the data is not synced over the internet.

Below is some additional Microsoft documentation.

Deploy Azure File Sync

Planning for an Azure File Sync Deployment

Azure File Sync Networking Considerations

Azure Private Endpoint DNS Configuration

Troubleshoot Azure File Sync

Creating a isolated IOT network with the UniFi Dream Machine

Over the last couple years the amount of IOT devices we have at home has increased quite dramatically, and it seems very Xmas holiday we get new smart plugs or smart lights. Also with having 2 young children i can see the amount of IOT devices that we have is only going to increase.

I first heard about Ubiquiti about a year ago, and straightaway I was impressed at how good their networking products were. I was immediately drawn to the Unify Dream Machine, however after reading some of the initial reviews, and with the COVID pandemic I put everything on the back burner.

A few weeks ago, and after reading some of the online reviews of the latest firmware I decided to take the plunge and get the dream machine. Even though its only been a few days, I must say I am impressed.

One of the things I wanted to have was to separate network my ever expanding IOT devices, which include:

  • Amazon Echo’s
  • Google Home mini
  • Various Smart plugs and lights
  • Ring Door Bell and Chime

The only device I had any really issue with was the Google Home Mini, but more on that later. The initial steps were as follows:

  • Create a separate network
  • Create a separate WIFI network attached to the network
  • Create some firewall rules to ensure the IOT devices are unable to communicate with any of the other networks

I already have a LAN network setup and WIFI for my normal devices, so the first step is to create a separate network, log into the Unify controller, go to settings, Networks and local network, Click on “Create New Local Network” and click on the Advanced option.

Give your Network a name, leave the network purpose as corporate , and a VLAN no, and supply a Gateway IP/Subnet and DHCP range, the rest can be left as default. Don’t forget to click “Done” at the bottom of the page.

Next, click on Wi-Fi networks, then “create New Wi-Fi Network” and once again click on the advanced option.

once you are in the WIFI creation page, you give the WIFI name, ensure the network is enabled, select the security protocol and provide a password for the WIFI Network.

Further down on the same page, under the advanced setting section, enable VLAN usage and enter the VLAN ID, and click done at the bottom of the screen.

Almost done, the IOT network has been created and associated to a WIFI network. You should now be able to add devices to this network. Last step is to ensure the IOT devices cannot communicate with the rest of the network.

Under “Internet Security” click on firewall.

Select LAN, and click on “Create New Rule”.

Under Type of connection select LAN in. Give the Network rule a description, and ensure it is enabled. Under Rule applied, selct “Before Predefined Rules” and under Action select “Drop”. Under Source device select “Network” and the name of the network you created earlier.

Further down on the same page under “Destination Type” select “Network” and lastly under “Network” Select the network your normal devices are on and click on “Apply”.

Once you’ve clicked apply, you should now see your new firewall rule, which will ensure the IOT devices are not able to connect to the rest of the network.

I managed to set up all my IOT devices on the new IOT WIFI except for the pesky Google Home Mini.

In order to get this up and running I had to create a temp firewall rule which allows the established IOT devices to communicate with the eatablished LAN devices. This rule will be disabled later and will not allow communication between any new IOT, and the LAN network. The following firewall rules were configured:

  • Type: Lan In
  • Description: “give it a description”
  • Rule Applied: Before Predefined Rule
  • Action: Accept
  • Source Type: Network
  • Network: IOT-Devices
  • Destination Type: Network
  • Network: LAN

Under Advanced enabled “Match State Established” and “Match State Related” and selected apply.

You need to ensure the new rule you have created has a lower priority than the first rule. you can do this by dragging the new rule above the original rule.

After creating this rule, I was able to setup the Google Home Mini without any problem. After setup I disabled the new rule, and the Google Mini was still working without a hitch.

I hope you find this useful, there is so much more you can do with the UDM, such as:

  • Rate limit networks (Great for IOT devices)
  • Setting up a Guest Networks
  • Traffic Analysis
  • WIFI Blackout Windows
  • IDS and IPS Configuration
  • Creating Honeypots on each network

The Unify Dream Machine is brilliant bit of kit, and if you are interested in securing your home network or small office network to consider it.