Merge pull request #313840 from duongau/firewall-freshness-review-564969-P2b

Azure Firewall P2b freshness review - tutorial step simplification and bug fixes

Author: JamesJBarnett

articles/firewall/firewall-sftp.md

@@ -1,37 +1,36 @@
 ---
 title: Access a storage account using SFTP over an Azure Firewall static public IP address
-description: In this article, you use Azure PowerShell to deploy Azure Firewall to access a storage account container via SFTP.
-services: firewall
+description: Access a storage account container via SFTP by using Azure Firewall and Azure PowerShell.
 author: duongau
+ms.author: duau
 ms.service: azure-firewall
 ms.topic: how-to
-ms.date: 04/27/2023
-ms.author: harjsing 
+ms.date: 03/28/2026
 ms.custom: devx-track-azurepowershell
 # Customer intent: As a cloud administrator, I want to configure a secure SFTP connection to an Azure storage account via Azure Firewall, so that I can manage and transfer files securely while ensuring compliance with network security protocols.
 ---
 
-# Access a storage account using SFTP over an Azure Firewall static public IP address
+# Access a storage account by using SFTP over an Azure Firewall static public IP address
 
-You can use Azure Firewall to access a storage account container via SFTP. Azure PowerShell is used to deploy a firewall in a virtual network and configured with DNAT rules to translate the SFTP traffic to the storage account container. The storage account container is configured with a private endpoint to allow access from the firewall. To connect to the container, you use the firewall public IP address and the storage account container name.
+Use Azure Firewall to access a storage account container through SFTP. Use Azure PowerShell to deploy a firewall in a virtual network and configure it with DNAT rules to translate the SFTP traffic to the storage account container. Configure the storage account container with a private endpoint to allow access from the firewall. To connect to the container, use the firewall public IP address and the storage account container name.
 
-:::image type="content" source="media/firewall-sftp/accessing-storage-using-sftp.png" alt-text="Diagram showing SFTP to firewall to access a storage account container." lightbox="media/firewall-sftp/accessing-storage-using-sftp.png":::
+:::image type="content" source="media/firewall-sftp/accessing-storage-using-sftp.png" alt-text="Diagram that shows a customer connecting via SFTP to Azure Firewall, which routes traffic through a private endpoint to a storage account container." lightbox="media/firewall-sftp/accessing-storage-using-sftp.png":::
 
 In this article, you:
 
-- Deploy the network infrastructure
-- Create a firewall policy with the appropriate DNAT rule
-- Deploy the firewall
-- Create a storage account and container
-- Configure SFTP access to the storage account container
-- Create a private endpoint for the storage account container
-- Test the connection to the storage account container
+- Deploy the network infrastructure.
+- Create a firewall policy with the appropriate DNAT rule.
+- Deploy the firewall.
+- Create a storage account and container.
+- Configure SFTP access to the storage account container.
+- Create a private endpoint for the storage account container.
+- Test the connection to the storage account container.
 
 If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/pricing/purchase-options/azure-account?cid=msft_learn) before you begin.
 
 [!INCLUDE [updated-for-az](~/reusable-content/ce-skilling/azure/includes/updated-for-az.md)]
 
-This article requires the latest Azure PowerShell modules. Run `Get-Module -ListAvailable Az` to find the version. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-azure-powershell). If you're running PowerShell locally, you also need to run `Login-AzAccount` to create a connection with Azure.
+This article requires the latest Azure PowerShell modules. Run `Get-Module -ListAvailable Az` to find the version. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-azure-powershell). If you're running PowerShell locally, you also need to run `Connect-AzAccount` to create a connection with Azure.
 
 ## Deploy the network infrastructure
 
@@ -50,19 +49,29 @@ $UserPrincipalName = "<your AD user principal name>"
 $ContainerName = "<container-name>"
 ```
 
-Create the network infrastructure. This includes a virtual network, subnets and a public IP address for the firewall.
+Create the network infrastructure. This step includes creating a virtual network, subnets, and a public IP address for the firewall.
 
 ```azurepowershell
-
 # Create a new resource group
-New-AzResourceGroup -Name $rg -Location $location
+New-AzResourceGroup `
+    -Name $rg `
+    -Location $location
 
 # Create new subnets for the firewall
-$FWsub = New-AzVirtualNetworkSubnetConfig -Name AzureFirewallSubnet -AddressPrefix 10.0.1.0/26
-$Worksub = New-AzVirtualNetworkSubnetConfig -Name Workload-SN -AddressPrefix 10.0.2.0/24
+$FWsub = New-AzVirtualNetworkSubnetConfig `
+    -Name AzureFirewallSubnet `
+    -AddressPrefix 10.0.1.0/26
+$Worksub = New-AzVirtualNetworkSubnetConfig `
+    -Name Workload-SN `
+    -AddressPrefix 10.0.2.0/24
 
 # Create a new VNet
-$testVnet = New-AzVirtualNetwork -Name test-fw-vn -ResourceGroupName $rg -Location $location -AddressPrefix 10.0.0.0/16 -Subnet $FWsub, $Worksub
+$testVnet = New-AzVirtualNetwork `
+    -Name test-fw-vn `
+    -ResourceGroupName $rg `
+    -Location $location `
+    -AddressPrefix 10.0.0.0/16 `
+    -Subnet $FWsub, $Worksub
 
 # Create a public IP address for the firewall
 $pip = New-AzPublicIpAddress `
@@ -76,64 +85,98 @@ $pip = New-AzPublicIpAddress `
 ## Create and configure the firewall policy
 
 ```azurepowershell
-
 # Create a new firewall policy
-$policy = New-AzFirewallPolicy -Name "fw-pol" -ResourceGroupName "$rg" -Location $location
+$policy = New-AzFirewallPolicy `
+    -Name "fw-pol" `
+    -ResourceGroupName $rg `
+    -Location $location
 
 # Define new rules to add
-$newrule1 = New-AzFirewallPolicyNatRule -Name "dnat-rule1" -Protocol "TCP", "UDP" -SourceAddress "*" -DestinationAddress $pip.ipaddress -DestinationPort "22" -TranslatedAddress $staticEP -TranslatedPort "22"
+$newrule1 = New-AzFirewallPolicyNatRule `
+    -Name "dnat-rule1" `
+    -Protocol "TCP", "UDP" `
+    -SourceAddress "*" `
+    -DestinationAddress $pip.IpAddress `
+    -DestinationPort "22" `
+    -TranslatedAddress $staticEP `
+    -TranslatedPort "22"
 
 # Add the new rules to the local rule collection object
-$natrulecollection = New-AzFirewallPolicyNatRuleCollection -Name "NATRuleCollection" -Priority 100 -ActionType "Dnat" -Rule $newrule1
+$natrulecollection = New-AzFirewallPolicyNatRuleCollection `
+    -Name "NATRuleCollection" `
+    -Priority 100 `
+    -ActionType "Dnat" `
+    -Rule $newrule1
 
 # Create a new rule collection group
-$natrulecollectiongroup = New-AzFirewallPolicyRuleCollectionGroup -Name "rcg-01" -ResourceGroupName "$rg" -FirewallPolicyName "fw-pol" -Priority 100
+$natrulecollectiongroup = New-AzFirewallPolicyRuleCollectionGroup `
+    -Name "rcg-01" `
+    -ResourceGroupName $rg `
+    -FirewallPolicyName "fw-pol" `
+    -Priority 100
 
 # Add the new NAT rule collection to the rule collection group
 $natrulecollectiongroup.Properties.RuleCollection = $natrulecollection
 
 # Update the rule collection
-Set-AzFirewallPolicyRuleCollectionGroup -Name "rcg-01 " -FirewallPolicyObject $policy -Priority 200 -RuleCollection $natrulecollectiongroup.Properties.rulecollection
-
+Set-AzFirewallPolicyRuleCollectionGroup `
+    -Name "rcg-01" `
+    -FirewallPolicyObject $policy `
+    -Priority 200 `
+    -RuleCollection $natrulecollectiongroup.Properties.RuleCollection
 ```
+
 ## Deploy the firewall
 
 ```azurepowershell
-
 # Create the firewall
 $firewall = New-AzFirewall `
     -Name fw-01 `
     -ResourceGroupName $rg `
     -Location $location `
-    -VirtualNetwork $testvnet `
+    -VirtualNetwork $testVnet `
     -PublicIpAddress $pip `
     -FirewallPolicyId $policy.id
-
 ```
 
 ## Create a storage account and container
 
 ```azurepowershell
-
-New-AzStorageAccount -ResourceGroupName $rg -Name $StorageAccountName -SkuName Standard_LRS -Location $location -EnableHierarchicalNamespace $true -PublicNetworkAccess enabled
+New-AzStorageAccount `
+    -ResourceGroupName $rg `
+    -Name $StorageAccountName `
+    -SkuName Standard_LRS `
+    -Location $location `
+    -EnableHierarchicalNamespace $true `
+    -PublicNetworkAccess Enabled
 
 # Get the subscription and user information
-$subscriptionId = (Get-AzSubscription -SubscriptionName "$SubscriptionName").SubscriptionId
-$user = Get-AzADUser -UserPrincipalName $UserPrincipalName
+$subscriptionId = (Get-AzSubscription `
+    -SubscriptionName $SubscriptionName).SubscriptionId
+$user = Get-AzADUser `
+    -UserPrincipalName $UserPrincipalName
 
 # Give the user contributor role
-New-AzRoleAssignment -ObjectId $user.id -RoleDefinitionName "Storage Blob Data Contributor" -Scope "/subscriptions/$subscriptionId/resourceGroups/$rg/providers/Microsoft.Storage/storageAccounts/$StorageAccountName"
+New-AzRoleAssignment `
+    -ObjectId $user.Id `
+    -RoleDefinitionName "Storage Blob Data Contributor" `
+    -Scope "/subscriptions/$subscriptionId/resourceGroups/$rg/providers/Microsoft.Storage/storageAccounts/$StorageAccountName"
 
-#Create the container and then disable public network access
+# Create the container and then disable public network access
 $ctx = New-AzStorageContext -StorageAccountName $StorageAccountName
-New-AzStorageContainer -Name $ContainerName -Context $ctx
-Set-AzStorageAccount -ResourceGroupName $rg -Name $StorageAccountName -PublicNetworkAccess disabled -Force
+New-AzStorageContainer `
+    -Name $ContainerName `
+    -Context $ctx
+Set-AzStorageAccount `
+    -ResourceGroupName $rg `
+    -Name $StorageAccountName `
+    -PublicNetworkAccess Disabled `
+    -Force
 ```
 
 ### Configure SFTP access to the storage account container
 
 ```azurepowershell
-
 Set-AzStorageAccount `
     -ResourceGroupName $rg `
     -Name $StorageAccountName `
@@ -158,15 +201,15 @@ $localuserPassword = New-AzStorageLocalUserSshPassword `
 # Examine and manually save the password
 
 $localuserPassword
-
 ```
 
 ## Create a private endpoint for the storage account container
 
 ```azurepowershell
-
 # Place the previously created storage account into a variable
-$storage = Get-AzStorageAccount -ResourceGroupName $rg -Name $StorageAccountName
+$storage = Get-AzStorageAccount `
+    -ResourceGroupName $rg `
+    -Name $StorageAccountName
 
 # Create the private endpoint connection
 $pec = @{
@@ -192,29 +235,28 @@ $ipconfig = New-AzPrivateEndpointIpConfiguration @ip
 $pe = @{
     ResourceGroupName = $rg
     Name = 'StorageEP'
-    Location = 'eastus'
-    Subnet = $testvnet.Subnets[1]
+    Location = $location
+    Subnet = $testVnet.Subnets[1]
     PrivateLinkServiceConnection = $privateEndpointConnection
     IpConfiguration = $ipconfig
 }
 
 New-AzPrivateEndpoint @pe
-
 ```
+
 ## Test the SFTP connection
 
-Now, test to ensure you can connect to the storage account container using SFTP. You can use any SFTP client to test the connection. In this example, we use sftp from a command prompt.
+Now, test the connection to make sure you can connect to the storage account container by using SFTP. You can use any SFTP client to test the connection. In this example, use `sftp` from a command prompt.
 
-For example, for a storage account named `teststorageaccount`, a container named `testcontainer`, a local account named `testuser`, and a firewall public IP address of `13.68.216.252`, you would use the following command:
+For example, for a storage account named `teststorageaccount`, a container named `testcontainer`, a local account named `testuser`, and a firewall public IP address of `13.68.216.252`, use the following command:
 
 ```
 sftp [email protected]
 ```
 
 Enter the password you saved earlier when prompted.
 
-
-You should see something similar to the following output:
+You see something similar to the following output:
 
 ```
 > sftp [email protected]
@@ -223,16 +265,14 @@ Connected to 13.68.216.252.
 sftp>
 ```
 
-You should now be connected to the storage account container using SFTP. You can use `put` and `get` commands to upload and download files. Use `ls` to list the files in the container, and `lls` to list the files in the local directory.
+You're now connected to the storage account container by using SFTP. You can use `put` and `get` commands to upload and download files. Use `ls` to list the files in the container, and `lls` to list the files in the local directory.
 
 ## Clean up resources
 
-When no longer needed, you can use the following command to remove the resource group, firewall, firewall policy, and all related resources.
+When you no longer need the resources, use the following command to remove the resource group, firewall, firewall policy, and all related resources.
 
 ```azurepowershell
-
 Remove-AzResourceGroup -Name $rg -Force
-
 ```
 
 ## Next steps