Azure Storage
Storage Accounts
- General-purpose v2 accounts are also referred to as Standard accounts
- To create an Azure premium file share requires a premium level storage account.
- If you want support for network file system (NFS) in Azure Files, use the premium file shares account type.
- Storage Accounts can contain blobs, file shares (e.g. SMB, NFS), queues, and tables.
- Access Keys allow full access to accounts and the contents therein, assuming connectivity at the network layer.
- Data access permissions for a storage account are different than the resource access permissions. A user could have Owner permissions for the storage account, but that does not grant them access to the data in the storage account. But, if you have an Owner role you have the necessary permissions to assign yourself a data access role.
Storage Account Types
- General Purpose V2/Standard
- Premium Block Blobs
- Premium File Shares, FileStorage
- Premium Page Blobs
- Premium performance storage accounts use solid-state drives (SSDs) for low latency and high throughput.
Data Protection
- Point-in-time restore provides protection against accidental deletion or corruption by enabling you to restore block blob data to an earlier state.
- Point-in-time restore is supported for general-purpose v2 storage accounts in the standard performance tier only.
- Only data in the hot and cool access tiers can be restored with point-in-time restore.
- Point-in-time restore is not yet supported in accounts that have a hierarchical namespace.
- Soft Delete can be enabled for blobs, containers, and file shares. Entities are marked for deletion but retained for the specified number of days.
- The purpose of the change feed is to provide transaction logs of all the changes that occur to the blobs and the blob metadata in your storage account.
☝️ Redundancy/Replication
- Locally-redundant storage (LRS): storage is redundant in the same location (AZ) as the primary storage
- LRS copies your data synchronously three times within a single physical location in the primary region
- LRS protects your data against server rack and drive failures.
- Data is replicated to different racks/drives than the primary storage.
- Zone-redundant storage (ZRS): storage is redundant across multiple availability zones in a single region
- Geo-redundant storage (GRS): copies your data synchronously three times within a single physical location in the primary region using LRS. It then copies your data asynchronously to a single physical location in the secondary region. Within the secondary region, your data is copied synchronously three times using LRS
- Stated another way, GRS stores data using LRS in two different regions.
- Geo-zone-redundant storage (GZRS): this is a combination of GRS and ZRS; data is replicated across three AZ's in the primary region and in one location in the secondary region.
- Stated another way, GZRS stores data in one region using ZRS and in a second region using LRS.
- When you utilize GRS or GZRS, the data in the secondary region isn't available for read or write access unless there's a failover to the secondary region.
- Read-access geo-redundant storage (RA-GRS) or read-access geo-zone-redundant storage (RA-GZRS) configurations permit read access to the secondary region.
- RA-GRS/RA-GZRS allows read access even if a failover doesn't happen. This provides load-balancing performance benefits and high-availability for temporary outages of the primary storage that do not trigger a failover.
Azure Files does not support read-access geo-redundant storage (RA-GRS) or read-access geo-zone-redundant storage (RA-GZRS).
- You can convert from one type of replication to another, but converting to/from LRS is a special case that requires more than just toggling the option in the portal.
Access Tiers
- Access Tiers only apply to block blobs.
- For blob storage access tiers can be specified at the blob level.
- For file shares the access tier is specified at the share level.
- The different tiers vary in the storage costs, access costs and retrieval time.
This is kind of counterintuitive, as of 2024-10-11, blobs in General Purpose V2 (GPV2) storage account can be set to Hot/Cool/Archive, but data stored in a premium block blob storage account cannot be tiered. Microsoft is working on supporting tiers for premium blob storage in the future.
Tiers
- Hot
- Cool
- Should be stored for a minimum of 30 days
- Cold
- Should be stored for a minimum of 90 days
- Archive
- Should be stored for a minimum of 180 days
- Only storage accounts that are configured for LRS, GRS, or RA-GRS support moving blobs to the archive tier. The archive tier isn't supported for ZRS, GZRS, or RA-GZRS accounts.
Lifecycle Management
- Lifecycle management policies are supported for block blobs and append blobs in general-purpose v2, premium block blob, and Blob Storage accounts.
- Before you configure a lifecycle management policy, you can choose to enable blob access time tracking. When access time tracking is enabled, a lifecycle management policy can include an action based on the time that the blob was last accessed with a read or write operation.
Import/Export
Azure Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an Azure datacenter. This service can also be used to transfer data from Azure Blob storage to disk drives and ship to your on-premises sites. Data from one or more disk drives can be imported either to Azure Blob storage or Azure Files.
- Exporting data from an Azure storage account is only supported for blob storage.
- Import Jobs can use Azure Files storage and Azure Blob storage as destinations for imported data.
Object Replication
- Object level replication is distinct from storage account level replication.
- Object replication is supported for general-purpose v2 storage accounts and premium block blob accounts.
- Both the source and destination accounts must be either general-purpose v2 or premium block blob accounts.
- Object replication supports block blobs only; append blobs and page blobs aren't supported.
- Change Feed and Blob Versioning must be enabled to support replication.
Because block blob data is replicated asynchronously, the source account and destination account are not immediately in sync. There's currently no SLA on how long it takes to replicate data to the destination account.
Disk Encryption
- There are several types of encryption available for your managed disks, including Azure Disk Encryption (ADE), Server-Side Encryption (SSE), and encryption at host.
- To use a key vault for disk encryption that option on the key vault needs to be enabled.
- The Powershell command is like this:
New-AzKeyvault -name "<your-unique-keyvault-name>" -ResourceGroupName "myResourceGroup" -Location "eastus" -EnabledForDiskEncryption
Customer Managed Keys
Customer-managed keys rely on managed identities for Azure resources, a feature of Microsoft Entra ID. When you configure customer-managed keys, a managed identity is automatically assigned to your resources under the covers. If you subsequently move the subscription, resource group, or managed disk from one Microsoft Entra directory to another, the managed identity associated with managed disks is not transferred to the new tenant, so customer-managed keys may no longer work.
Encryption at host
- Encryption at host is a capability that use the host/physical server where a VM is running to perform disk encryption.