Azure Files security compatability on Container Apps
This post will go over compatable security settings when using Azure Storage and Container Apps
Overview
In terms of storage, Container Apps allows Azure Files to be mounted from an Azure Storage Account. This post refers to the security settings that can be chosen on an Azure Files Share under Security -> Protocol settings.
When creating a Storage Account through typical means (eg. portal, or others - with default settings), the Security -> Protocol Settings default to Maximum Compatibility - which is the below, where all options are checked. This means any that fail will fallback to others that may work:
If a configuration is chosen that is not one that is applicable with ACA, this will manifest as Storage Volume errors on the Container App side with mount error(13): Permission denied. You can find more information on troubleshooting mount issues here. The Permission denied error will show in your Container App’s system logs.
Aside from using Maximum Capability (which just checks every box), the “highest” realistic settings a user can do when setting Profile -> Custom is the following:
- SMB protocol versions: SMB 3.1.1, SMB channel encryption: AES-128-GCM, (Optional: Authentication mechanisms -> NTLM V2)
Explicitly using only Kerboros authentication will fail. This cannot be used. Additionally, using SMB 3.1.1 with only AES-256-GCM will also fail. Using any lower versions of SMB under 3.1.1 will fail.
Using the Maximum Security profile will also fail, since this uses the following - SMB 3.1.1, AES-256-GCM, Kerberos (with Kerberos ticket encryption -> AES-256)
In short, sticking with Maximum Capatability or setting a custom profile to SMB protocol versions: SMB 3.1.1, SMB channel encryption: AES-128-GCM, (Optional: Authentication mechanisms -> NTLM V2) are the two general options that can be done.
For other storage troubleshooting articles, see:
