I have an FTP server configured behind an Azure Firewall. In passive mode, it is able to establish the control connection successfully but fails to establish data connection occasionally with the error “Data Peer IP [x.x.x.x] differ from control peer IP [x.x.x.x]: This should not happen, aborting the data connection.”. Note that these IPs are private IPs from Private Address Space CIDR of the firewall. What configuration are required to ensure that single internal IP is used for both control and data connections? FTP server does not have a private IP and I have configured DNAT rule in firewall. For testing purpose, I only configured 5 ports in DNAT rule for passive mode.
I’m not familiar with how Azure handles this kind of firewalling problem. The issue with passive ftp is that the choice of ports used by the data channels is somewhat random. You can restrict this by how you configure vsftpd. See the following blog post with how you’d go about doing that; that way, you can configure your firewall to allow the ports you specify in the configuration.