FTP server design considerations

In this article, I am laying out the most noteworthy FTP server design considerations. Regardless of whether you are installing in an on-premise or in a cloud-based virtual machine or physical server or utilizing a cloud Paas-based service, there are certain factors which need to be taken into account.

FTP server design considerations

Ask yourself the right questions and take notes of the following information:

• Which FTP-related protocols do you require support for (SFTP, FTPS, FTP)?
• What is the approximate number of users which will be accessing the FTP server?
• What are the locations from which the users will be accessing the FTP server (Internet, corporate LAN)?
• What is expected maximum network bandwidth for file transfer? You can start by calculating the maximum read and write operations in a given time slot and then calculate the minimum required Mbps FTP server file transfer rate by using reduction logic.
• If you already have an FTP(S) server running on physical or virtual machine, what is the minimum and recommended hardware configuration (vCPU, RAM, disk IOPS) for the FTP(S) server to be of acceptable performance? If you go for minimum VM requirements, in the case of Azure VM the choice is either the B-series or the D-series virtual machines. The absolute minimum is 2 vCPU and 4 GB RAM but in reality these numbers should go up as your FTP traffic requirements grow.
• Do you require Windows over Linux as the operating system hosting the FTP server?
• Do you have an IoT/edge scenario in which the FTP server and/or the FTP clients are going to be running on an IoT/edge network?
• What are the minimum security levels that you require for your FTP server and data? Do you require an application gateway device, such as Azure Application Gateway? Do you require direct Internet access or should your solution be accessible only via secure VPN, Express Route and/or other secure solution and private IP space only?
• What type of authentication will you be using? Will the anonymous/ftp user be enabled? Will you use plain username/password or will you utilize SSH key pair for more secure file transfer operations?
•  
• What endpoint and server anti-malware solution will you deploy? In the case of Azure cloud, you can utilize the Microsoft Defender for Cloud and Microsoft Defender for Endpoint/Server resources.
• Do you require backup of the FTP server itself as well as separate backup of the FTP data?
• Do you require high availability for the FTP server? In the case of Azure VM(s), consider datacenter level and zone level redundancy (make use of 3 availability zones inside Azure region) or consider region level redundancy by implementing either a disaster recovery site or minimum of two FTP servers running in different regions and being in sync.

FTP server implementation options in Windows Server

• Deploy the IIS Web Server and configure FTP service as a server role service of IIS. Managing all FTP services and features can be done via the IIS Manager console.
• Deploy a third party software with Windows Server support. Such examples are Filezilla, Wing, Sysax and Cerberus FTP servers.

FTP server implementation options in Linux Ubuntu server

The following options are generally available for implementing an FTP server in Linux Ubuntu.

• Deploy an SSH deamon (e.g. OpenSSH) and configure an SFTP server. This should allow for secure file transfer and management but it will not allow FTP or FTPS. This server can be deployed as on-premise or Cloud VM. In the case of Cloud, you can optionally utilize a PaaS-based storage service to host your files and make use of a fuse file system on the FTP server to connect to that cloud storage. An example of this would be to make use of an Azure blog storage account and have this account mounted to your FTP server via BlobFuse v2 for storing FTP data. BlobFuse is a virtual file system driver for Azure Blob Storage. Use BlobFuse to access your existing Azure block blob data through the Linux file system.
• Deploy an FTP server deamon, such as vsftpd (https://ubuntu.com/server/docs/service-ftp). This will allow FTP and FTPS functionality, as well as SFTP, in coordination with SSH. This server can be deployed as on-premise or Cloud VM with same remarks standing, as in the previous option.
• Deploy a third party FTP server software with Linux support. Such examples are Filezilla and Wing FTP servers.

FTP server implementation options in Cloud PaaS storage

Instead of deploying and managing an FTP server yourself, you can utilize a Cloud-based PaaS storage service which allows for SFTP client endpoints to connect. This way, you can make the most of all available file transfer and management features, without the hassle of managing and operating an FTP server along with all of the tasks associated with it (OS updates, proactive security monitoring, backups, etc). Some notable examples are the below.

• The AWS transfer for SFTP, utilizing the known AWS S3 object storage and SFTP connectors, as explained at https://aws.amazon.com/aws-transfer-family/.

• The Azure Block Blob Storage account type, which can expose an SFTP endpoint. This service (https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support) is quite pricey at the moment but it does the job and can be setup in literally a few minutes. This service has some limitations, among which is the inability to make use of FTPS or FTP protocols but only SFTP (https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-known-issues). Instructions on how to connect to the Azure SFTP enabled Blob Storage account can be found at https://learn.microsoft.com/en-us/azure/storage/blobs/secure-file-transfer-protocol-support-how-to?tabs=azure-portal. SFTP support requires hierarchical namespace to be enabled. Hierarchical namespace organizes objects (files) into a hierarchy of directories and subdirectories in the same way that the file system on your computer is organized. The hierarchical namespace scales linearly and doesn't degrade data capacity or performance.

In essence, the SFTP service connector can be enabled inside any Azure Blob Storage account, assuming that the hierarchical namespace is enabled.

Another design option if you are already invest in cloud object storage is to utilize a service such as filemage (https://www.filemage.io/), which allows you to expose SFTP, FTPS and FTP connectors to an existing cloud storage account and use that account as your FTP repository. Filemage has applications in all major public cloud marketplaces. In the case of Azure, here is the Filemage app in the Azure marketplace (https://azuremarketplace.microsoft.com/en-us/marketplace/apps/filemagellc.filemage-gateway-vm).