Articles

Host an FTP Server on Azure with App Service (2026)

April 18, 2026 5 min read

Host an FTP Server on Azure with App Service

Azure App Service doesn’t natively support traditional FTP server functionality.

The core issue is that App Service is a PaaS offering designed for web applications, not a general-purpose virtual machine where you can install and run arbitrary services like an FTP daemon. The underlying infrastructure is managed and abstracted, meaning you don’t have direct OS-level access to configure and expose ports for an FTP server. While App Service does offer FTP deployment endpoints, these are for deploying code to the App Service, not for serving files via FTP from your application.

Here’s how you can achieve something akin to hosting an FTP server on Azure App Service, working around its limitations:

1. Use Azure Blob Storage as your FTP backend and access it via a web app.

This is the most common and recommended approach. You’ll have an App Service (a web app) that acts as an intermediary. Users connect to your web app (via HTTP/HTTPS), and your web app then interacts with Azure Blob Storage to upload/download files. You can then optionally add an SFTP endpoint to the Blob Storage itself if direct file transfer is critical, bypassing the web app for that specific use case.

  • Diagnosis/Check:
    • Are you trying to allow direct FTP access to files that your web app needs to serve or manage?
    • Can your users tolerate accessing files through a web interface rather than a direct FTP client?
  • Fix:
    • Create an Azure Storage Account: Go to the Azure portal, search for "Storage accounts," and create a new one. Choose "StorageV2 (general purpose v2)" as the account kind.
    • Create a Blob Container: Within your storage account, navigate to "Containers" and create a new container (e.g., myftpfiles).
    • Develop your App Service Web App:
      • Create an Azure App Service (e.g., a Web App for Windows or Linux).
      • In your application code (e.g., C#, Node.js, Python), use the Azure Storage SDK to interact with your Blob Storage container.
      • Implement endpoints in your web app for uploading and downloading files. For example, a /upload endpoint that accepts POST requests with file data, and a /download/{filename} endpoint that streams files from Blob Storage.
      • Secure these endpoints using App Service authentication (e.g., Azure AD, basic authentication) or custom authorization logic.
    • Deployment: Deploy your web app to the Azure App Service.
  • Why it works: This decouples the file storage from the web application. Blob Storage is designed for scalable, durable object storage, and your web app provides the interface and business logic for accessing those files. You’re not running an FTP server; you’re building an FTP-like service using web technologies and managed Azure services.

2. Use an Azure VM with an FTP Server (if absolutely necessary).

If you have legacy applications or specific requirements that demand a traditional FTP server, you’ll need to fall back to Infrastructure as a Service (IaaS).

  • Diagnosis/Check:
    • Is your application strictly dependent on the FTP protocol and cannot be refactored to use HTTP/S, SFTP, or other modern protocols?
    • Are you aware of the increased management overhead, security risks, and potential cost implications of running a VM for this purpose?
  • Fix:
    • Create an Azure Virtual Machine: In the Azure portal, create a new Virtual Machine. Choose an appropriate OS (e.g., Windows Server, Ubuntu).
    • Install and Configure FTP Server Software:
      • On Windows Server: Install the "FTP Server" role via Server Manager. Configure FTP sites, bindings, authentication, and authorization. Ensure your FTP users have corresponding local user accounts on the VM.
      • On Linux (e.g., Ubuntu): Install an FTP server package like vsftpd or proftpd. Configure its settings in /etc/vsftpd.conf (or equivalent). Create FTP user accounts (often by creating system users and configuring vsftpd to allow them).
    • Configure Network Security Group (NSG):
      • Navigate to the Network Security Group associated with your VM’s network interface.
      • Add inbound security rules to allow traffic on the FTP control port (TCP 21) and the passive data ports. For passive mode, you’ll need to define a range of ports in your FTP server configuration (e.g., 50000-50100) and then open that entire range in the NSG.
      • Example NSG rule for control port: Protocol: TCP, Source port ranges: *, Source IP addresses: *, Destination port ranges: 21, Destination IP addresses: *, Action: Allow.
      • Example NSG rule for passive ports: Protocol: TCP, Source port ranges: *, Source IP addresses: *, Destination port ranges: 50000-50100, Destination IP addresses: *, Action: Allow.
    • Configure Firewall on the VM: Ensure the VM’s operating system firewall (Windows Firewall, ufw on Linux) also allows inbound traffic on these ports.
  • Why it works: You are essentially running a traditional server in the cloud. The VM provides the OS and the network stack, and you install and manage the FTP server software yourself. The NSG and OS firewall control network access to the ports the FTP server listens on.

3. Use Azure Files with SFTP (a more secure alternative to FTP).

If you need direct file access and can use SFTP (SSH File Transfer Protocol), Azure Files offers an SFTP endpoint. This is generally preferred over plain FTP due to its encryption.

  • Diagnosis/Check:
    • Does your application or client support SFTP?
    • Do you need encrypted file transfers?
  • Fix:
    • Create an Azure Storage Account: If you don’t have one already.
    • Create an Azure File Share: Within your storage account, navigate to "File shares" and create a new one.
    • Enable SFTP on the Storage Account: Go to your Storage Account in the Azure portal, navigate to "File shares," and then click "Enable SFTP." This will automatically create an SFTP endpoint.
    • Create an SFTP User: Under the "File shares" section, you’ll find an option to manage SFTP users. Create a new user, assign a username, and set a strong password or SSH key. You can also specify the root directory for this user within your file share.
    • Connect via SFTP Client: Use any standard SFTP client (e.g., FileZilla, WinSCP, sftp command-line utility) to connect to your storage account’s SFTP endpoint using the provided credentials and the storage account’s hostname.
  • Why it works: Azure manages the SFTP server infrastructure. You provide the credentials, and Azure handles the SSH daemon, encryption, and connection management, exposing your Azure Files share securely.

The next hurdle you’ll likely encounter is managing credentials and access control securely, especially if you choose the VM-based approach.

Want structured learning?

Take the full Ftp course →