从Azure群集访问本地网络共享

Question

There is a need of using on-premises file share from Azure Service Fabric cluster. Eg reading files from the share and saving some data to the same file share

To do that we are using impersonation mechanism (some unsafe code). Using AD account we are able to access the share, but in case of failures with authentication the entire SF cluster goes down (not only the service with unhandled exception).

The question is: is it really good practice to use SMB file shares like \\ipaddress\\folder\\folder1 from Azure? Is there some workaround or better way of accessing these shares without impersonation?

The plan-B is mounting the share on each Azure node, but I don't like it. Plan-C is a SFTP server at some on-premises server.

Answer 1

Frankly, it is not a good idea to expose a corporate SMB fileshare over the Internet and many ISP's commonly block port 445 making it infeasible in most deployments. A possible Azure solution would be to provision an ExpressRoute circuit to privately address the file share on-premises. This can be expensive and time consuming so you could also explore alternatives like migrating to a Blob or Azure Files store. An interim solution may be to push/pull data to a cloud storage solution. The drawbacks are of course data duplication and extending the security perimeter of you data, as well as complexity. You would be well served to identify the on-premises data access patterns for the file share and see if you can fully migrate to a cloud data solution, keeping you data controlled and in once place, "close" to the SF cluster.