|
| 1 | +--- |
| 2 | +title: Azure Storage Mover networking Requirements |
| 3 | +description: Learn about the network prerequisites for using Azure Storage Mover, including the implementation of private networking. |
| 4 | +author: stevenmatthew |
| 5 | +ms.author: shaas |
| 6 | +ms.service: azure-storage-mover |
| 7 | +ms.topic: conceptual |
| 8 | +ms.date: 10/22/2025 |
| 9 | +--- |
| 10 | + |
| 11 | +# Storage Mover networking prerequisites |
| 12 | + |
| 13 | +Azure Storage Mover is a service designed to facilitate seamless data migration to Azure Storage accounts. For organizations prioritizing security and compliance, integrating Storage Mover with Azure Private Networking ensures that sensitive data and credentials remain protected throughout the migration process. |
| 14 | + |
| 15 | +> [!NOTE] |
| 16 | +> Azure Storage Mover supports both on-premises and cloud data sources and targets. On-premises data sources are migrated to Azure storage using one or more agents, while cloud data sources are migrated using the Storage Mover service directly. |
| 17 | +> |
| 18 | +> This article focuses on the prerequisites for connecting on-premises infrastructure to Azure, and includes private networking considerations. |
| 19 | +
|
| 20 | +Azure Storage Mover communication occurs over HTTPS. This encrypted communication makes migrations over the public internet sufficiently secure for many organizations. These organizations might not, for example, require private network access to their storage account and key vault. For organizations prioritizing security and compliance, integrating Storage Mover with Azure Private Networking ensures that sensitive data and credentials remain protected throughout the migration process. These configurations typically begin with the creation of an Azure virtual network, which serves as the foundation for secure connectivity. For more information about Azure virtual networks, see [What is an Azure virtual network](../virtual-network/virtual-networks-overview.md). |
| 21 | + |
| 22 | +> [!IMPORTANT] |
| 23 | +> Currently, Storage Mover can be configured to route migration data from the agent to the destination storage account over Private Link. Hybrid Compute heartbeats and certificates can also be routed to a private Azure Arc service endpoint in your virtual network (VNet). Some Storage Mover traffic can't be routed through Private Link and is routed over the public endpoint of a storage mover resource. This data includes control messages, progress telemetry, and copy logs. |
| 24 | +
|
| 25 | +To link on-premises infrastructure to Azure, organizations need to enable hybrid connectivity. This hybrid link can be created using a Site-to-Site VPN via Azure VPN Gateway or Azure ExpressRoute. Both options establish private tunnels that enable secure access to Azure resources. For more information about Azure VPN Gateway or ExpressRoute, see [What is an Azure VPN Gateway](../vpn-gateway/vpn-gateway-about-vpngateways.md) or [What is Azure ExpressRoute](../expressroute/expressroute-introduction.md). |
| 26 | + |
| 27 | +Private Endpoints also play a critical role in this approach, allowing services such as Azure Storage Accounts and Azure Key Vaults to be accessed privately. These endpoints reside within a subnet of the virtual network and require domain name system (DNS) records to correctly resolve private IP addresses. During setup, users can configure a Private DNS Zone to manage these records. For more information about Private Endpoints, see [What is an Azure Private Endpoint](../private-link/private-endpoint-overview.md). |
| 28 | + |
| 29 | +This article outlines the key requirements and configuration steps necessary to deploy Azure Storage Mover in a private network environment. |
| 30 | + |
| 31 | +## Networking overview |
| 32 | + |
| 33 | +When Azure Storage Mover is deployed in a private networking environment, several components must be configured to ensure secure and efficient operation. The Storage Mover Agent, which performs the actual data migration tasks, needs to connect to various Azure services. Some of these services support private endpoints, while others require public endpoint access. |
| 34 | + |
| 35 | +### Required ports |
| 36 | + |
| 37 | +A storage mover agent supports both SMB and NFS clients. The following list of ports must be enabled between a Storage Mover Agent VM, a storage VM, and an Azure Fileshare. |
| 38 | + |
| 39 | +| Service | Port and Protocol | Source VM | Target | |
| 40 | +|---------------------------|-------------------|-----------|-------------------------------------| |
| 41 | +| SMB | 445/TCP | Agent VM | On-premises SMB share server | |
| 42 | +| NFS | 2049/TCP | Agent VM | On-premises NFS share server | |
| 43 | +| Blob or File Share target | 443/HTTPS | Agent VM | Azure File Share | |
| 44 | + |
| 45 | +### Required services and endpoints |
| 46 | + |
| 47 | +The following table provides a summary of the required services, their endpoint types, and whether private access is supported. Because your network settings must allow the Storage Mover Agent to connect over HTTPS to the service's endpoints, the Fully Qualified Domain Name (FQDN) is also included. |
| 48 | + |
| 49 | +<!--# [Public Cloud](#tab/public)--> |
| 50 | + |
| 51 | +| Service | Needed For | Supports Private Endpoints | FQDN | |
| 52 | +|----------------------------|----------------------|----------------------------|----------------------------------------------------| |
| 53 | +| **Microsoft Artifact Registry** | Agent updates | ❌ | `mcr.microsoft.com` | |
| 54 | +| **Storage Mover Service** | Agent heartbeats and migration job assignments | ❌ | `<region>.agentgateway.prd.azsm.azure.com` | |
| 55 | +| **Event Hubs** | Publishing copy logs | ❌ | `evhns-sm-ur-prd-<region>.servicebus.windows.net` | |
| 56 | +| **Azure Arc** | Registration | ✅ (via Arc Private Link Scope) | `*.guestconfiguration.azure.com` and<br />`*.his.arc.azure.com` | |
| 57 | +| **Microsoft Entra ID** | Registration | ❌ | `login.microsoftonline.com` and<br />`pas.windows.net` | |
| 58 | +| **Azure Resource Manager** | Registration | ❌ | `management.azure.com` | |
| 59 | +| **Storage Account (Flat Blob)** | Job targets | ✅ | `*.blob.core.windows.net` | |
| 60 | +| **Storage Account (HNS Blob)** | Job targets | ✅ | `*.blob.core.windows.net` and<br />`*.dfs.core.windows.net` | |
| 61 | +| **Storage Account (File)** | Job targets | ✅ | `*.file.core.windows.net` | |
| 62 | +| **Key Vault** | Data source endpoint access credentials, as needed | ✅ | `*.vault.azure.net` | |
| 63 | + |
| 64 | +<!-- |
| 65 | +# [Fairfax](#tab/fairfax) |
| 66 | +
|
| 67 | +| Service | Needed For | Supports Private Endpoints | FQDN | |
| 68 | +|----------------------------|----------------------|----------------------------|--------------------------------------------------------| |
| 69 | +| **Microsoft Artifact Registry** | Agent updates | ❌ | `mcr.microsoft.com` | |
| 70 | +| **Storage Mover Service** | Agent heartbeats and migration job assignments | ❌ | `<region>.agentgateway.ff.azsm.azure.us` | |
| 71 | +| **Event Hubs** | Publishing copy logs | ❌ | `evhns-sm-ur-ff-<region>.servicebus.usgovcloudapi.net` | |
| 72 | +| **Azure Arc** | Registration | ✅ (via Arc Private Link Scope) | `*.guestconfiguration.azure.com` and<br />`*.his.arc.azure.com` | |
| 73 | +| **Microsoft Entra ID** | Registration | ❌ | `login.microsoftonline.com` and<br />`pasff.usgovcloudapi.net` | |
| 74 | +| **Azure Resource Manager** | Registration | ❌ | `management.usgovcloudapi.net` | |
| 75 | +| **Storage Account (Flat Blob)** | Job targets | ✅ | `*.blob.core.usgovcloudapi.net` | |
| 76 | +| **Storage Account (HNS Blob)** | Job targets | ✅ | `*.blob.core.windows.net` and<br />`*.dfs.core.usgovcloudapi.net` | |
| 77 | +| **Storage Account (File)** | Job targets | ✅ | `*.file.core.usgovcloudapi.net` | |
| 78 | +| **Key Vault** | SMB credentials | ✅ | `*.vault.usgovcloudapi.net` | |
| 79 | +
|
| 80 | +--- |
| 81 | +--> |
| 82 | + |
| 83 | +The following sections detail the required components, public endpoint dependencies, and networking considerations for deploying Storage Mover in a private network. |
| 84 | + |
| 85 | +## Private networking requirements |
| 86 | + |
| 87 | +Within the Storage Mover hierarchy, a storage mover resource is the top-level service resource that you deploy in your Azure subscription. All aspects of the service and of your migration are controlled from this resource. However, Storage Mover Agents perform most of the migration's work. Storage Mover agents are virtual machines within your network that are used to facilitate migrations by performing the data transfer. |
| 88 | + |
| 89 | +To ensure that a Storage Mover Agent can operate within a private network, it must connect to several Azure services. Some of these services support private endpoints, while others require public endpoint access. |
| 90 | + |
| 91 | +To ensure that a Storage Mover Agent connects privately to Azure resources, the following components are required: |
| 92 | + |
| 93 | +- **Azure Virtual Network:**<br> |
| 94 | +An Azure virtual network is an isolated network within Azure that provides the foundation for private connectivity. It allows you to define subnets, configure routing, and set up network security groups (NSGs) to control traffic flow. The virtual network serves as the backbone for connecting your on-premises infrastructure to Azure resources securely. |
| 95 | +- **VPN Gateway or ExpressRoute:**<br> |
| 96 | +You can use a VPN gateway or Azure ExpressRoute to link your on-premises network to your Azure virtual network. A VPN Gateway is used for Site-to-Site VPN connections between networks, while ExpressRoute provides a dedicated private connection. Both options enable secure communication between on-premises infrastructure and Azure resources. |
| 97 | +- **Private Endpoints:**<br> |
| 98 | +Azure Private Endpoints are resources that can securely connect Azure services using a private IP from your virtual network. You can limit access to clients in your virtual network by creating a Private Endpoint resource and assigning it to another preexisting resource, such as a Storage Account or Key Vault. |
| 99 | +- **DNS Configuration:**<br> |
| 100 | +Proper DNS configuration is necessary to resolve the private endpoint IP addresses of your resource endpoints. Because you can create a Private DNS Zone and link it to your virtual network during Private Endpoint creation, this configuration can be accomplished during setup. |
| 101 | + |
| 102 | +All services that support Private Endpoints can also be accessed as public endpoints, though some resources can be configured to either reject or allow public connections. |
| 103 | + |
| 104 | +The following diagram illustrates an example of a resource topology for enabling private connectivity to all endpoints that support it. |
| 105 | + |
| 106 | +> [!NOTE] |
| 107 | +> This configuration is one of many possible setups for a private network and doesn't encompass all components involved in network configuration, such as DNS, proxies, and virtual network peering. |
| 108 | +
|
| 109 | +:::image border="false" type="content" source="media/network-prerequisites/networking-topology-sml.png" alt-text="A diagram illustrating an example of a resource topology for enabling private connectivity to all endpoints that support it." lightbox="media/network-prerequisites/networking-topology-lrg.png"::: |
| 110 | + |
| 111 | +<sup>1</sup> Arc Private Link Scopes provide access to three Arc services as shown in the image. The *Extensions* Arc service isn't used by the Storage Mover Agent. It appears muted in the image to avoid confusion.<br> |
| 112 | +<sup>2</sup> Arc Private Link Scopes and the three Arc services to which they connect can both be accessed directly over public endpoints. The Arc Private Link Scope can be configured to enable or disable public network access.<br> |
| 113 | +<sup>3</sup> The recommended best practice is to use multiple Azure Virtual Networks. Use the Azure VPN Gateway to connect to the "hub" Virtual Network. Use a second "spoke" virtual network, connected to the "hub" using virtual network peering, to contain the resources. For detailed guidance, see [What is an Azure landing zone](/azure/cloud-adoption-framework/ready/landing-zone/). |
| 114 | + |
| 115 | +## Public endpoint dependencies |
| 116 | + |
| 117 | +Despite the emphasis on private networking, certain required Storage Mover services are only accessible via public endpoints, as shown in the preceding diagram. These services can be accessed securely over public endpoints using ExpressRoute Microsoft Peering, which provides a private tunnel to Azure services. For more information, see [Microsoft Peering](../expressroute/expressroute-circuit-peerings.md). |
| 118 | + |
| 119 | +The following endpoints *must* be accessible over public endpoints for the Storage Mover Agent to function correctly: |
| 120 | + |
| 121 | +- **Microsoft Artifact Registry** for automated agent updates. |
| 122 | +- **The Storage Mover Service** for agent heartbeats and job coordination. |
| 123 | +- **Event Hubs** for publishing copy logs. |
| 124 | +- **Azure AD/Microsoft Entra ID** for registration and identity management. |
| 125 | +- **Azure Resource Manager** for registration and resource management. |
| 126 | + |
| 127 | +## Arc-enabled server considerations |
| 128 | + |
| 129 | +The Storage Mover Agent is an Arc-enabled server and requires connectivity to several Azure services. Since many Arc services don't support Azure Private Endpoint resources directly, you need to determine if your requirements include communicating with Arc privately. If so, the recommended approach is to configure an Azure Arc Private Link Scope. |
| 130 | + |
| 131 | +A Private Link Scope allows you to maintain private connectivity by facilitating data flow through between private endpoints and the Arc services required by the Storage Mover Agent. For more information about Arc Private Link Scopes, see [Use Azure Private Link to securely connect servers to Azure Arc](/azure/azure-arc/servers/private-link-security). |
| 132 | + |
| 133 | +> [!NOTE] |
| 134 | +> Azure Arc Private Link Scopes aren't required for Storage Accounts or Key Vaults. |
| 135 | +
|
| 136 | +## Additional networking considerations |
| 137 | + |
| 138 | +Beyond the core components, there are networking considerations that can be configured to enhance the security and functionality of the Storage Mover Agent. However, these configurations are optional, depend on your specific network requirements, and might affect networking performance - especially if misconfigured. |
| 139 | + |
| 140 | +### Proxy support |
| 141 | + |
| 142 | +The Storage Mover Agent supports external HTTP and HTTPS proxies. Configuration is done via the agent's shell within the **Network Configuration** section's **Update network configuration** menu. When prompted, select **Proxy** and enter the Fully Qualified Domain Name (FQDN) or IP address of the proxy. Include the port number if necessary. The following example illustrates the configuration steps: |
| 143 | + |
| 144 | +:::image type="content" source="media/network-prerequisites/proxy-configuration-sml.png" alt-text="A screenshot showing the proxy configuration screen in the Storage Mover Agent." lightbox="media/network-prerequisites/proxy-configuration-lrg.png"::: |
| 145 | + |
| 146 | +### SSL inspection |
| 147 | +If your network performs SSL interception, the agent might fail to recognize modified certificates. Currently, adding custom certificates to the agent isn't supported. To avoid issues, add required endpoints to the allowlist to bypass SSL inspection. These endpoints are available in the [Networking overview](#networking-overview) section. |
0 commit comments