Creating a new storage account is straight forward. Give it a name and location. Another selection if the type if performance required. Standard or Premium.
Standard refers to the magnetic storage and premium refers t the SSD. But the premium selection only supports page blobs. Block blobs, append blobs, file shares, labels and queues are not available. Standard storage now has StorageV2. You can still select BlobStorage. The advantage of BlobStorage is that it is public.
Data in an Azure Storage account is always replicated three times in the primary region. Azure Storage offers two options for how your data is replicated in the primary region:
- Locally-redundant storage (LRS) – copies your data synchronously three times within a single physical location in the primary region. LRS is the least expensive replication option, but is not recommended for applications requiring high availability.
- Zone-redundant storage (ZRS) – copies your data synchronously across three Azure availability zones in the primary region. For applications requiring high availability, Microsoft recommends using ZRS in the primary region, and also replicating to a secondary region.
LRS protects your data against server rack and drive failures. However, if a disaster such as fire or flooding occurs within the data center, all replicas of a storage account using LRS may be lost. To mitigate this risk, Microsoft recommends using ZRS or one of the following:
- Geo-redundant storage (GRS) – copies your data synchronously three times within a single physical location in the primary region using LRS. It then copies your data asynchronously to a single physical location in a secondary region that is hundreds of miles away from the primary region.
- Geo-zone redundant storage (GZRS) – data in a GZRS storage account is copied across three Azure availability zones in the primary region and is also replicated to a secondary geographic region for protection from regional disasters
Geo-redundant storage (with GRS or GZRS) replicates your data to another physical location in the secondary region to protect against regional outages. However, that data is available to be read only as below:
- Read-access geo-redundant storage (RA-GRS)
- Read-access geo-zone redundant storage (RA-GZRS)
Access tiers of Hot and Cool refers to how the data is optimised for access. Hot tier is optimized for storing data that is accessed frequently and Cool is optimized for storing data that is infrequently accessed and stored for at least 30 days. Data might cost less in the Cool tier, but costs more to access it.
We could also configure the Networking options for the storage account. First of all Connectivity Method.
- Public endpoint – storage accounts have a public endpoint that is accessible through the internet.
- Public endpoint (selected networks) – This allows you to put the storage account in a vNet. We can then use traditional security methods such as a firewall to restrict access.
- You can also create Private Endpoints for your storage account, which assigns a private IP address from your VNet to the storage account, and secures all traffic between your VNet and the storage account over a private link.
Access Keys and SAS
If we look at the properties of the storage account, there are both primary and secondary blob service endpoints. If the primary endpoint becomes unavailable, we can use the secondary. With these endpoints, we will require access keys in order to get access to the storage account.
In the Access Keys section, we can see that Azure gives us two access keys, key 1 and key 2. If you have access to either one of these master keys, you have complete access to the storage account. These can be regenerated, but it is better not to lose these in the first place.
The recommended way to provide access to applications or individuals is via Shared Access Signature (SAS). This is affectively is a token, signed by one of our master keys, with limited permissions defied by us. However, a SAS cannot be revoked. Microsoft recommends creating SAS based in Stored Access Policy (SAP). Access policies (SAP) are defined per containers in a storage account. However, you will have to associate a SAS with an SAP using the Azure Storage Explorer.
See this post forhands-on creating and managing Azure Storage Account based on this lab.