This chapter covered several key services related to implementing storage in Microsoft Azure. Topics included how to create and manage Azure storage accounts, Blob Storage, Azure Files, importing and exporting data, Storage Explorer, AzCopy, lifecycle management, and object replication.
Here are some of the key takeaways from this chapter:
- Azure storage accounts provide four separate services: Blob Storage, Table Storage, Queue Storage, and Azure Files. It is important to understand the usage scenarios of each service.
- Standard storage accounts use magnetic drives and provide the lowest cost per GB. This type of account is best suited for applications that require bulk storage or where data is accessed infrequently.
- Premium storage accounts use solid state drives and offer consistent, low-latency performance. This type of account can only be used with Azure virtual machine disks and are best for I/O-intensive applications, like databases.
- Storage accounts must specify a replication mode. The options are locally redundant, zone-redundant, geo-redundant, read-access geo-redundant storage, geo zone- redundant, and read-access geo zone-redundant.
- Blob Storage supports three types of blobs (block, page, and append blobs), and four access tiers (Hot, Cool, Cold, and Archive).
- There are three kinds of storage accounts: General-Purpose V1, General-Purpose V2, and Blob Storage. The availability of features varies between storage account types. However, General-purpose v1 is considered legacy and is not recommended.
- Azure Storage can be managed through several tools directly from Microsoft: the Azure portal, PowerShell, CLI, Storage Explorer, and AzCopy. It is important to know when to use each tool.
- Access to storage accounts can be controlled using several techniques. Among them are Entra ID authentication; storage account name and key; SAS; SAS with access policy; and using the storage firewall and virtual network service endpoints. Access to Blob Storage can also be controlled using the public access level of the storage container.
- You can also use AzCopy to copy files between storage accounts or from outside publicly accessible locations to your Azure storage account.
- Azure Storage has a lifecycle-management capability, and it can be used to transition data to lower-access tiers automatically based on preconfigured rules. You can also delete the data at the end of its lifecycle. These rules can be executed against the storage account once per day. Specific blobs and containers can be targeted using filter sets.
- Azure Storage also provides blob object replication capabilities that provide asynchro- nous replication of block blobs from one storage account to another. The blobs are replicated based on the defined replication rules.
- You can leverage object replication only when blob versioning is enabled for both the source and destination storage accounts, and the blob change feed is enabled for the source storage account.
In this thought experiment, apply what you have learned about this objective. You can find answers to these questions in the next section.
You are asked to design an Azure Storage solution for a large insurance company. The com- pany wants the data to be accessible based on the role of individual users within the organiza- tion. Various departments have their separate datasets that they access on a daily basis. The company wants to restrict users from modifying the data from other departments, but all the users must be able to access the data across departments.
Also, there is a requirement to store that data forever with minimal cost possible. The data is rarely used after two years from the date it was last modified.
- What steps should you take to assign the storage access based on their departments?
- What changes need to be made in order to keep storing data forever with minimal cost?
This section contains the solution to the thought experiment for the chapter.
To solve this problem, you can leverage various capabilities of Azure Storage, such as Entra authentication with role-based access control and lifecycle management for the blob storage.
- Create an Azure storage account and create a container for each department to store its data. Next, assign the Storage Blob Data Reader role for all the department groups but assign the Storage Blob Data Contributor role for each department group. This allows users to access all department data, but they can modify only their department data.
- Create a rule on the Lifecycle Management blade for the storage account and select the Apply Rule To All Blobs In Your Storage Account option. Then, add an if-then block to move data to the archive tier after 730 days (two years). This will let you store the data forever with minimal cost in the archive tier.