Azure Storage Account
An Azure storage account is a secure account that gives you access to Azure Storage services. The storage account is like an administrative container, and within it, we can have multiple services like blobs, files, queues, tables, disks, etc. When we create a storage account in Azure, we get a unique namespace for our storage resources. This unique namespace forms the URL part. The storage account name must be unique among all existing storage account names in Azure.
Types of storage accounts
| Storage account type | Supported Services | Supported performance levels | Supported access levels | Replication options | Deployment model | Encryption |
| General-purpose V2 | Blob, File, Queue, Table, and Disk | Standard, Premium | Hot, Cool, Archive | LRS, ZRS, GRS, RA-GRS | Resource Manager | Encrypted |
| General-purpose V1 | Blob, File, Queue, Table, and Disk | Standard, Premium | N/A | LRS, GRS, RA-GRS | Resource Manager, Classic | Encrypted |
| Blob Storage | Blob (block blobs and append blobs only) | Standard | Hot, Cool, Archive | LRS, GRS, RA-GRS | Resource Manager | Encrypted |
Note: If you want to use all storage services, we recommend you choose the general-purpose version 2. If you need a storage account for blobs only, you can choose the blob storage account type.
Types of performance levels
- Standard Performance: This tier includes magnetic disks and offers a low cost per GB. Therefore, it is ideal for applications that require bulk storage or infrequently accessed data.
- Higher Storage Performance: This tier includes SSDs and offers consistent performance and low latency. They can only be used as disks for Azure virtual machines and are best for I/O-intensive workloads such as databases.
(So each virtual machine disk is on a storage account. So if we attach a disk, we’ll go for premium storage. But if we use the storage account specifically to store blobs, then we’ll go for standard performance.)
Access levels
There are four types of access levels:
- Premium Storage (Preview): It provides high-performance hardware for frequently accessed data.
- Hot storage: This is the storage of data that is accessed frequently.
- Cold storage: This is the storage of rarely accessed data and kept for at least 30 days.
- Archive Storage: This is the storage of rarely accessed files and stored for a minimum of 180 days with flexible latency requirements (on the order of a few hours).
Advantage of access levels
When a user uploads the document to storage, the document will initially be frequently accessed. During this period, we place the document in the warm storage tier.
But after a while, once the work on the document is done, no one usually accesses it. So it will become a rarely accessed document. We can then move the document from hot storage to cold storage to save costs, because cold storage is built on the frequency of accessing the document. Once the document has matured, that is, once we have stopped working on it, the document becomes old. We rarely refer to this document. In this case, we place it in fresh storage.
But for six months or a year, we won’t just be looking at the document. In that case, we’ll move that document to archive storage.
Hot storage is therefore more expensive than cold storage in terms of storage. But cold storage is more expensive in terms of access. Archival storage involves archiving documents in a storage facility that cannot be accessed.
Azure Storage Replication
Azure storage replication enables data durability. It copies our data so it remains protected against planned and unplanned events. Ultimately, these could be transient hardware failures, network or power outages, massive natural disasters, or man-made vulnerabilities.
Azure creates several copies of our data and stores them in different locations, depending on the replication policy.
- LRS (Local Redundant Storage): So, if we opt for local redundant storage, the data will be present in the data center. If the data center or region goes down, the data will be lost.
- ZRS (Zone-Redundant Storage): Data replicates between data centers but within the region. In this case, the data is still available in the data center, even if a node is unavailable. We can say that the data will be available even if the entire data center goes down. This is because the data is already present in another data center within the region. However, if the region itself is down, you will not have access to the data.
- GRS (Globally Redundant Storage): To protect our data from regional outages, we can opt for globally redundant storage. In this case, the data will replicate within the paired region within the geography. So, if we want to have read-only access to data in another region, we can opt for RA-GRS (Read Access global-redundant storage). We can achieve different things in terms of durability, as we can see in the table below.
Storage Account Endpoints
Every time we create a storage account, we get an endpoint to access the data in the storage account. So, every object stored in Azure Storage has an address. It consists of your unique account name and the combination of an account name, and a service endpoint, which is the endpoint of your storage account.
For example, if your general-purpose account name is mystorageaccount, the default endpoints for the various services typically look like this:
- Azure Blob storage: http://mystorageaccount.blob.core.windows.net.
- Azure Table storage: http://mystorageaccount.table.core.windows.net
- Azure Queues storage: http://mystorageaccount.queue.core.windows.net
- Azure files: http://mystorageaccount.file.core.windows.net
If we want to associate our custom domain with these points, we can still do so. We can use our custom domain to reference these storage service endpoints.
Creating and configuring the Azure storage account
Let’s see how to create a storage account in the Azure portal and discuss some of the important settings associated with the storage account:
Step 1: Log in to your Azure portal home screen and click “Create a resource”. Then type “Storage account” in the search box and click “Storage account”.
Step 2: Click create, you will be redirected to Create Storage Account window.
Step 3: First, you need to select the subscription when you create a resource in Azure, and then you need to choose a resource group. For example, here the subscription is “Free Trail”.
Use your existing resource group or create a new one. Here, we will create a new resource group.
Step 4: Next, provide the storage account name, which must be all lowercase and unique across Azure. Then select your location, performance tier, account type, replication policy, access level, and click Next.
Step 5: You are now in the networking window. Here you need to select the connectivity method and then click next.
Step 6: Now you are in the Advanced window where you need to enable or disable Security, Azure Files, Data Protection, Data Lake Storage and then click next.
Step 7: The Tags window appears and you can provide tags to categorize your resources into specific categories. Enter the tag name and value and click Next.
Step 8: This is the final step where validation has been passed, and you can review all the elements you have provided. Click on create finally.
Now that our storage account is up and running, a window will appear with the message “Your deployment is complete”.
Click on “goto resource”, the following window will appear.
You can see all the values you selected for the various configuration settings when creating the storage account.
Main features of the storage account
Let’s take a look at some key configuration settings and main features of the storage account.
General Features
- Activity Log: It applies to every resource in Azure. In this context, it provides a record of the activities performed on that particular resource and is common to all Azure resources.
- Tags: We can assign new tags or edit existing tags here.
- Events: We can subscribe to some of the events that occur in this storage account. In this sense, it can be a logic app or a function. For example, a blob is created in a storage account. This event will trigger a logic app with some of that blob’s metadata.
- Storage Explorer: This allows you to explore the data residing in your storage account in terms of blobs, files, queues, and tables. Again, there is a desktop version of this Storage Explorer, but also a web version.
- CORS (Cross-Origin Resource Sharing): Here we can mention the domain name and the operations allowed.
- Configuration: There are some things we cannot change once the storage account is generated. For example, the performance type. But we can change the access level, whether secure transport is required or not, the replication strategy, etc.
Security Features
- Access Control: Here we can delegate access to the storage account to different users.
- Encryption: Here we can specify our own key if we want to encrypt the data in the storage account. We need to click the checkbox, and we can select a key vault URI where the key is located.
- Access keys: The access key grants general access to the data in the storage account. Therefore, we recommend not giving access to the access keys to anyone other than the creator of that storage account.
- (SAS) Shared Access Signature: Here we can generate SAS keys with limited access and for a limited period. SAS is used to access the data that is stored in the storage account.
- Firewall and Virtual Network: Here we can configure the network so that connections from certain virtual networks are allowed to connect to this storage account.
It is worth noting that we can configure advanced threat protection and make the storage account compatible with hosting a static website.
- Properties: Here we can see the properties related to the storage account.
- Locks: Here we can apply locks on services.
So these are the different settings that we can configure, and the rest of the settings are related to different services within the storage account – for example, blob, file, table, and queue.
