Azure Storage Accounts
There are two types of Storage Accounts which are General Purpose Storage accounts and Blob Storage Accounts.
- General purpose Storage Accounts have got two tiers
Standard (Supports Tables, Queues, Blobs and Azure Virtual Machine Disks)
Blob Storage (Unstructured Object Data)
- Block Blobs (Storing documents, media files, backups etc. upto 200GB). Most Cost effective
- Append Blobs (logging scenarios)
- Page Blobs (supports up to 1TB ideas for Azure VM Disks)
- Table Storage (Structured Datasets)
- Queue Storage (reliable messaging workflow processing)
File Storage (For Legacy application requires SMB protocol)
- Helps in moving an on-premises application into azure which relies on the share file storage
- Support standard file systems sematics
- URL format: Files are addressable using the following URL format: https://<storage account>.file.core.windows.net/<share>/<directory/directories>/<file>
- Premium (only supports Azure Virtual Machine Disks)
Note: If you have large amount of data, you can use import or export service provided by Microsoft. Also, AzCopy will be helpful in uploading large amount of data.
Blob Storage Accounts
Blob Storage Accounts is specialized storage account for storing unstructured data as blob object. If your application requires only Block or Append Blob, then this is recommended. Hence, Blob Storage Accounts are not suitable for hosting Azure Virtual Machines
- Hot (Applications required frequent access to the objects)-Lower access cost
- Cool (Objects are least frequently access)-Lower Storage cost
You can use custom domain for access the blob data.
- Use the CNAME record with your DNS provider [Simpler and quicker]
- CNAME record and asverify with the option of use indirect CNAME validation. [No downtime in this method]
There are Different ways the storage account can be secured
- RBAC and Azure Active Directory can be used to restrict access to the storage account itself
- Azure of Data can be secured using Client-Side Encryption, HTTS and SMB 3.0
- Storage Service Encryption will automatically encrypt when writing to Azure.
- Azure Disk Encryption are used for OS and Data Disk
- Share Access Signature are used to delegate access to the objects in the storage account along with Stored Access policies
Shared Access Signature, possible ways of controlling access
- Allowed Services
- Allowed resource types
- Specified duration
- Specific Protocol
- Certain IP address
- Type of access (read, write, update, delete, add, list, create, process)
Note: Storage account key is providing access to the entire account but SAS will help to give access in more granular manner also very limited amount of the time. Regenerating storage Keys means you need to update the SAS tokens.
Different type of Access policy in Blob Service
- Private (Accessible to the Owner)
- Blob (Public access to the blob)
- Container (read and list access to the entire container)
Default log retention in days 7 and can be configured up to 365days
Logs are available under $logs blob Containers for all blob, queue and table.