AZ-104 Study Guide 2024
Azure Storage
Storage Accounts
Storage Accounts can contain blobs, file shares (e.g. SMB, NFS), queues, and tables.
Access Keys allow full access to accounts and the contents therein, assuming connectivity at the network layer.
Data access permissions for a storage account are different than the resource access permissions. A user could have Owner permissions for the storage account, but that does not grant them access to the data in the storage account. But, if you have an Owner role you have the necessary permissions to assign yourself a data access role.
Storage Account Types
Data Protection
Soft Delete can be enabled for blobs, containers, and file shares. Entities are marked for deletion but retained for the specified number of days.
The purpose of the change feed is to provide transaction logs of all the changes that occur to the blobs and the blob metadata in your storage account.
☝️ Redundancy/Replication
Locally-redundant storage (LRS): storage is redundant in the same location (AZ) as the primary storage
Zone-redundant storage (ZRS): storage is redundant across multiple availability zones in a single region
Geo-redundant storage (GRS): copies your data synchronously three times within a single physical location in the primary region using LRS. It then copies your data asynchronously to a single physical location in the secondary region. Within the secondary region, your data is copied synchronously three times using LRS
Stated another way, GRS stores data using LRS in two different regions.
Geo-zone-redundant storage (GZRS): this is a combination of GRS and ZRS; data is replicated across three AZ's in the primary region and in one location in the secondary region.
Stated another way, GZRS stores data in one region using ZRS and in a second region using LRS.
When you utilize GRS or GZRS, the data in the secondary region isn't available for read or write access unless there's a failover to the secondary region.
Read-access geo-redundant storage (RA-GRS) or read-access geo-zone-redundant storage (RA-GZRS) configurations permit read access to the secondary region.
RA-GRS/RA-GZRS allows read access even if a failover doesn't happen. This provides load-balancing performance benefits and high-availability for temporary outages of the primary storage that do not trigger a failover.
Azure Files does not support read-access geo-redundant storage (RA-GRS) or read-access geo-zone-redundant storage (RA-GZRS).
Access Tiers
-
Access Tiers only apply to block blobs.
For blob storage access tiers can be specified at the blob level.
For file shares the access tier is specified at the share level.
The different tiers vary in the storage costs, access costs and retrieval time.
This is kind of counterintuitive, as of 2024-10-11, blobs in General Purpose V2 (GPV2) storage account can be set to Hot/Cool/Archive, but data stored in a premium block blob storage account cannot be tiered. Microsoft is working on supporting tiers for premium blob storage in the future.
Tiers
-
Hot
Cool
Cold
Archive
Should be stored for a minimum of 180 days
Only storage accounts that are configured for LRS, GRS, or RA-GRS support moving blobs to the archive tier. The archive tier isn't supported for ZRS, GZRS, or RA-GZRS accounts.
Lifecycle Management
Lifecycle management policies are supported for block blobs and append blobs in general-purpose v2, premium block blob, and Blob Storage accounts.
Before you configure a lifecycle management policy, you can choose to enable blob access time tracking. When access time tracking is enabled, a lifecycle management policy can include an action based on the time that the blob was last accessed with a read or write operation.
Import/Export
Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an Azure datacenter. This service can also be used to transfer data from Azure Blob storage to disk drives and ship to your on-premises sites. Data from one or more disk drives can be imported either to Azure Blob storage or Azure Files.
Object Replication
-
Object level replication is distinct from storage account level replication.
Object replication is supported for general-purpose v2 storage accounts and premium block blob accounts.
Both the source and destination accounts must be either general-purpose v2 or premium block blob accounts.
Object replication supports block blobs only; append blobs and page blobs aren't supported.
Change Feed and Blob Versioning must be enabled to support replication.
Because block blob data is replicated asynchronously, the source account and destination account are not immediately in sync. There's currently no SLA on how long it takes to replicate data to the destination account.
Disk Encryption
There are several types of encryption available for your managed disks, including Azure Disk Encryption (ADE), Server-Side Encryption (SSE), and encryption at host.
-
To use a key vault for disk encryption that option on the key vault needs to be enabled.
The Powershell command is like this:
New-AzKeyvault -name "<your-unique-keyvault-name>" -ResourceGroupName "myResourceGroup" -Location "eastus" -EnabledForDiskEncryption
Customer Managed Keys
Customer-managed keys rely on managed identities for Azure resources, a feature of Microsoft Entra ID. When you configure customer-managed keys, a managed identity is automatically assigned to your resources under the covers. If you subsequently move the subscription, resource group, or managed disk from one Microsoft Entra directory to another, the managed identity associated with managed disks is not transferred to the new tenant, so customer-managed keys may no longer work.
Encryption at host