I wrote a tool in C# that (among other things) downloads a file using an SFTP connection. This tool seems to work fine for most connections, but recently caused an error while downloading a file from an Azure blob storage SFTP connection. While debugging I noticed that the tool is working fine on my local machine, the error only occurs when running on an Azure service.

For debugging reasons I tried to make the SFTP connection using the command line. While this works fine on my local machine, this also gives an error on the Azure instance. I tried different sftp options, using both ssh-password and ssh-key authentication, but without any effect. The tool is running on an Azure App Service (web app) but I also tested on a Cloud Service (extended support).

Unfortunately I am not the owner of the Azure blob container, but I have contact with the owner. The blob is set to have network access from selected virtual networks and IP-addresses only. Both my own IP-address and all my Azure outgoing IP-addresses (the Azure App Service has multiple) are added to the whitelist. I did check if the outgoing IP is actually one of the listed IP’s (using curl ifcfg.me) and it is indeed one of the listed IP’s.

On my local machine, the SFTP connection is created without any problems:

sftp -i <key-file> <instance>.<container>.<username>@<instance>.blob.core.windows.net
Connected to <instance>.<container>.<username>@<instance>.blob.core.windows.net.
sftp>

On the Azure App service (web app, using Kudu console), the output is as follows:

sftp -i <key-file> <instance>.<container>.<username>@<instance>.blob.core.windows.net
ssh: connect to host <instance>.blob.core.windows.net port 22: Permission denied
Connection closed

On the Azure Cloud service (extended support), the output is as follows:

sftp -i <key-file> <instance>.<container>.<username>@<instance>.blob.core.windows.net
Received disconnect from <IP> port 22:11:  - RequestId:cb9ebcf7-501e-0002-158a-d7c372000000 Time:2024-07-17T14:16:52.5853865Z
Disconnected from <IP> port 22
Connection closed

When I try to connect from my local machine over an IP-address that is not whitelisted (using VPN) the error is the same as on the Azure Cloud service (Received disconnect).

My guess is that the connection is blocked on the Azure blob. I did a TCP connection test (using self support in the Azure portal) to <instance>.blob.core.windows.net:22 from the Azure App service, as this succeeded I guess the outgoing connection/port is open.

Does anyone have any experience with SFTP connections from an Azure service to an Azure blob? Or any experience with this error on another platform (not 100% sure if it is Azure related)?