Author: zeusexam

Upload and download data using AzCopy You can upload data to Azure Blob Storage using AzCopy. The only condition is that the storage account and destination container should already exist. In the following example, the CreateUserTemplate.csv file will be copied to the destcontainer. This example assumes that the CSV file is in the location that…

Use Storage Explorer Using Storage Explorer, you can manage each of the storage services: Blob Storage, Azure Tables, Queue Storage, and Azure Files. Table 2-4 summarizes the supported operations for each service. TABLE 2-4 Storage Explorer operations Storage service Supported operations Blob Blob containers Create, rename, copy, delete, control public access level, manage leases, and…

Configure storage account encryption Data in an Azure storage account is encrypted using AES 256-bit encryption and is FIPS 140-2 compliant. Encryption in an Azure storage account is enabled automatically and cannot be disabled. By default, Microsoft manages the keys used to encrypt and decrypt the data. In this sce- nario, Microsoft is responsible for…

Configure object replication Azure Storage blob object replication provides asynchronous replication of block blobs from one storage account to another. The blobs are replicated based on the defined replication rules. Using object replication requires that the blob versioning options are enabled for both the source and destination storage accounts. Additionally, the source storage account must…

  Resource scope for blobs and queues It is also important to determine the scope of the access for the security principal before you assign an RBAC role. You can narrow the scope to the container, queue, or table level. Here are the valid scopes: Entra ID authentication and authorization in the Azure portal In…

Managing access keys in Azure Key Vault It is important to protect the storage account access keys because they provide full access to the storage account. Azure Key Vault helps safeguard cryptographic keys and secrets used by cloud applications and services, such as authentication keys, storage account keys, data encryption keys, and certificate private keys….

Use user delegation SAS You can also create user delegation SAS using Microsoft Entra ID credentials. The user delega- tion SAS is only supported by Blob Storage, and it can grant access to containers and blobs. Currently, SAS is not supported for user delegation SAS. Configure stored access policies A SAS token incorporates the access…

Create and use shared access signature (SAS) tokens There are a few different ways you can create a SAS token. A SAS token is a way to granularly control how a client can access data in an Azure storage account. You can also use an account- level SAS to access the account itself. You can…

Virtual network service endpoints In some scenarios, a storage account is only accessed from within an Azure virtual network. In this case, it is desirable from a security standpoint to block all internet access. Configuring virtual network service endpoints for your Azure storage account, you can remove access from the public internet and only allow…

Configure Azure Storage firewalls and virtual networks Storage accounts are managed through Azure Resource Manager. Management operations are authenticated and authorized using Microsoft Entra ID RBAC. Each storage service exposes its own endpoint used to manage the data in that storage service (blobs in Blob Storage, entities in tables, and so on). These service-specific endpoints…