Azure Storage

This is an old revision of the document!

AZ-104 Study Guide 2024

https://learn.microsoft.com/en-us/azure/storage/common/storage-account-overview#types-of-storage-accounts
General-purpose v2 accounts are also referred to as Standard accounts
To create an Azure premium file share requires a premium level storage account.
- If you want support for network file system (NFS) in Azure Files, use the premium file shares account type.

Storage Accounts can contain blobs, file shares (e.g. SMB, NFS), queues, and tables.
Access Keys allow full access to accounts and the contents therein, assuming connectivity at the network layer.
Data access permissions for a storage account are different than the resource access permissions. A user could have Owner permissions for the storage account, but that does not grant them access to the data in the storage account. But, if you have an Owner role you have the necessary permissions to assign yourself a data access role.

General Purpose V2/Standard
Premium Block Blobs
Premium File Shares, FileStorage
Premium Page Blobs

Point-in-time restore provides protection against accidental deletion or corruption by enabling you to restore block blob data to an earlier state.
- Point-in-time restore is supported for general-purpose v2 storage accounts in the standard performance tier only.
- Only data in the hot and cool access tiers can be restored with point-in-time restore.
- Point-in-time restore is not yet supported in accounts that have a hierarchical namespace.

Soft Delete can be enabled for blobs, containers, and file shares. Entities are marked for deletion but retained for the specified number of days.
The purpose of the change feed is to provide transaction logs of all the changes that occur to the blobs and the blob metadata in your storage account.

Locally-redundant storage (LRS): storage is redundant in the same location (AZ) as the primary storage
- LRS copies your data synchronously three times within a single physical location in the primary region
- LRS protects your data against server rack and drive failures.
Zone-redundant storage (ZRS): storage is redundant across multiple availability zones in a single region
Geo-redundant storage (GRS): copies your data synchronously three times within a single physical location in the primary region using LRS. It then copies your data asynchronously to a single physical location in the secondary region. Within the secondary region, your data is copied synchronously three times using LRS
- Stated another way, GRS stores data using LRS in two different regions.
Geo-zone-redundant storage (GZRS): this is a combination of GRS and ZRS; data is replicated across three AZ's in the primary region and in one location in the secondary region.
- Stated another way, GZRS stores data in one region using ZRS and in a second region using LRS.
When you utilize GRS or GZRS, the data in the secondary region isn't available for read or write access unless there's a failover to the primary region.
- Read-access geo-redundant storage (RA-GRS) or read-access geo-zone-redundant storage (RA-GZRS) configurations permit read access to the secondary region.

Azure Files does not support read-access geo-redundant storage (RA-GRS) or read-access geo-zone-redundant storage (RA-GZRS).

https://learn.microsoft.com/en-us/azure/storage/blobs/access-tiers-overview
Access Tiers only apply to block blobs.
The different tiers vary in the storage costs, access costs and retrieval time.

This is kind of counterintuitive, as of 2024-10-11 blobs in General Purpose V2 (GPV2) storage account can be set to Hot/Cool/Archive, but data stored in a premium block blob storage account cannot be tiered. Microsoft is working on supporting tiers for premium blob storage in the future.

Hot
Cool
- Should be stored for a minimum of 30 days
Cold
- Should be stored for a minimum of 90 days
Archive
- Should be stored for a minimum of 180 days
- Only storage accounts that are configured for LRS, GRS, or RA-GRS support moving blobs to the archive tier. The archive tier isn't supported for ZRS, GZRS, or RA-GZRS accounts.

Lifecycle management policies are supported for block blobs and append blobs in general-purpose v2, premium block blob, and Blob Storage accounts.

https://learn.microsoft.com/en-us/azure/backup/backup-azure-restore-files-from-vm
Exporting data from an Azure storage account is only supported for blob storage.
Import Jobs can use Azure Files storage and Azure Blob storage as destinations for imported data.

https://learn.microsoft.com/en-us/azure/storage/blobs/object-replication-overview

There are several types of encryption available for your managed disks, including Azure Disk Encryption (ADE), Server-Side Encryption (SSE), and encryption at host.
https://learn.microsoft.com/en-us/azure/virtual-machines/disk-encryption-overview
To use a key vault for disk encryption that option on the key vault needs to be enabled.
The Powershell command is like this:

New-AzKeyvault -name "<your-unique-keyvault-name>" -ResourceGroupName "myResourceGroup" -Location "eastus" -EnabledForDiskEncryption

Customer-managed keys rely on managed identities for Azure resources, a feature of Microsoft Entra ID. When you configure customer-managed keys, a managed identity is automatically assigned to your resources under the covers. If you subsequently move the subscription, resource group, or managed disk from one Microsoft Entra directory to another, the managed identity associated with managed disks is not transferred to the new tenant, so customer-managed keys may no longer work.