Storage

Data Security Manage Data

Account

Data
/
Manage Access
Replication

Microsoft Azure Storage

Choosing right storage is important

Customer
Cost
Experience

Reliability Availability
Storage
Microsoft Azure Storage
❑Durable and highly available
❑ Secure
❑ Scalable
❑ Managed
❑ Accessible

https://docs.microsoft.com/en-us/azure/storage/common/storage-introduction
My Cloud Bucket
How to access a Node.js application running on a remote
server?

ngrok provides a real-time web UI where you can introspect all HTTP traffic running
over your tunnels. Replay any request against your tunnel with one click.

npm install ngrok –g

ngrok http 1234

Types of Data

STRUCTURED DATA SEMI-STRUCTURED DATA UNSTRUCTURED DATA

Types of Data

Structured Data
Structured data is data that adheres to a schema, so all of the data has the same fields or properties.
Example: A database table
Types of Data

Semi-structured Data
Semi-structured data doesn't fit neatly into tables, rows, and columns. Instead, semi-structured data
uses tags or keys that organize and provide a hierarchy for the data.
Example: JSON file, XML file
Types of Data

Unstructured Data
Unstructured data encompasses data that has no designated structure to it. This lack of structure also
means that there are no restrictions on the kinds of data it can hold.
Example: email, video file, pdf
Example
Structured data

Semi-Structured data

Un-Structured data
A Simple Application Architecture

Users Internet Web Server Database

Server
A Simple Application Architecture

Storage

Users Internet NoSQL

Web Servers Job Queue Backend Servers
Database

Relational
Database
 Azure Blob Storage to
A Simple Application Architecture store image, videos,
media or any other files

Azure Queue Storage for

storing large numbers of Azure Table Storage for Storage
messages storing semi-structured
data

Users Internet NoSQL

Web Servers Job Queue Backend Servers
Database

File Share to store and

share configuration
files, logfiles between
multiple VMs SQL
Database
This Photo by Unknown Author is licensed under CC BY-SA
 Storage Account

Manage Data

Microsoft Azure
Data Security
Storage

Data Replication

Manage Access
An interesting
Application demo to
grab attention and
connect the lessons
to knowledge with
real world
Application Demo
What is Azure Storage?

Azure Storage is the modern-day solution to all storage problems. Its storage
capacity is limitless, virtually. Being a pay-as-you-go model, it gives you the
flexibility of paying only for what you have used.
Priorities while selecting your storage

01 02 03 04 05
Enabling Securing your Enabling Accelerating Optimizing
remote Work organization business migration to Cost
from Home continuity & the cloud
DR
Why Azure Storage?

✓ Durable & High Available

✓ Secure
✓ Scalable
✓ Managed
✓ Accessible
Azure Data Storage

Most organizations have diverse requirements for their cloud-hosted data. For example, storing
data in a specific region, or needing separate billing for different data categories. Azure storage
accounts let you formalize these types of policies and apply them to your Azure data.
What is a storage account?
A storage account is a container that groups a set of Azure Storage services together.
Why storage account?
• Combining data services into a storage account lets you manage them as a group.

• The settings you specify when you create the account, or any that you change after creation, are

applied to everything in the account.

• Deleting the storage account deletes all of the data stored inside it.
 Storage Account

Manage Data

Microsoft Azure
Data Security
Storage

Data Replication

Manage Access
What is a storage account?

A storage account is a container that groups a set of Azure Storage services together.
How many storage accounts are needed?
Azure Storage Account

If we just create One storage account and store all our data inside it?

➢ How much cost customer ABC added on project’s storage cost in the last quarter?

➢ Give full access to user XYZ for his project1_container but make sure he doesn't get any
access to any other data.
How many storage accounts?

Why not 1 Storage

account for whole
A new storage organization data…
account for any new
requirement…
 Azure Storage Account

How many storage accounts do you need, depends on

▪ Data diversity

▪ Cost sensitivity

▪ Management overhead
And they reached to solution, both are different though ☺

I will place old HR reports in existing

I will create a new storage storage account as archive where
account because this new client latest reports being kept.
wants higher performance and So no need to create a new account
durability than others and it is
also a new customer, we have in
West Europe region.
Core Storage Services

✓ Blobs
✓ Files
✓ Queue
✓ Table
✓ Disk
Storage Account
Performance
Standard storage accounts are
backed by magnetic drives and
provide the lowest cost per GB.
They're best for applications
that require bulk storage or
where data is accessed
infrequently.

Premium storage accounts are

backed by solid state drives and
offer consistent, low-latency
performance. They can only be
used with Azure virtual
machine disks, and are best for
I/O-intensive applications, like
databases.
Account Kind

Storage account kind is a set of policies that determine which data services you can include in
the account and the pricing of those services. There are three kinds of storage accounts:

• StorageV2 (general purpose v2): the current offering that supports all storage types and all
of the latest features
• Storage (general purpose v1): a legacy kind that supports all storage types but may not
support all features
• Blob storage: a legacy kind that allows only block blobs and append blobs

Microsoft recommends that you use the General-purpose v2 option for new storage accounts.
Account
Kind
Storage
Data Security Manage Data
Account

Data
/
Manage Access
Replication

Microsoft Azure Storage

Problem Statement
You're an admin for a music streaming service. Your organization uses Azure
Storage to store the music files.

Uptime is important to you and your users. If your audio files aren't available, you
might lose subscribers to another service.

How do you plan to protect your organization from region-wide outage and
practice a storage failover.
Azure Storage Redundancy
Azure Storage always stores multiple copies of your data so that it is
protected from planned and unplanned events, including transient
hardware failures, network or power outages, and massive natural
disasters.
Redundancy ensures that your storage account meets its availability
and durability targets even in the face of failures.
Azure Storage Redundancy

Uploaded File
Copy 1

Cloud Storage

Uploaded File

Cloud Storage

Uploaded File
Copy 2

Cloud Storage
Azure Storage Redundancy

Uploaded File
Copy 1

Cloud Storage

Uploaded File

Cloud Storage

Uploaded File
Copy 2

Cloud Storage
Azure Storage Redundancy
Locally redundant storage

Locally redundant storage (LRS) copies your data three times across separate racks
of hardware in a datacenter, inside one region. Even if there's a hardware failure,
or if maintenance work is happening in the datacenter, this replication type
ensures data is available for use.

LRS doesn't protect you from a datacenter-wide

outage. If the datacenter goes down, you could

lose your data.

Azure Storage Redundancy
Geographically redundant storage
With geographically redundant storage (GRS), your data is copied three times
within one region, and three times in a secondary region that's paired with it.
This way, if your primary region is experiencing an outage, your secondary region
is available for use.
Azure Storage Redundancy
Read-access geo-redundant storage

With GRS, your secondary region isn't available for read access until the primary
region fails.
If you want to read from the secondary region, even if the primary region hasn't
failed, use RA-GRS for your replication type.
Azure Storage Redundancy
Zone-redundant storage
Zone-redundant storage (ZRS) copies your data in three storage clusters in a single
region. Each cluster is in a different physical location and is considered as a single
availability zone. Each cluster uses its own separate utilities for things like
networking and power.

If one datacenter is experiencing outage, your data remains

accessible from another availability zone in the same Azure region.

Because all availability zones are in a single region, ZRS can't protect your data
from a regional level outage
Zone-
redundant
storage
Azure Storage Redundancy
Geo-zone-redundant storage

Geo-zone-redundant storage (GZRS) combines the high availability benefits of ZRS

with GRS. With this replication type, your data is copied across three availability
zones in one region.

Data is also replicated three times to another secondary region that's paired with
it. This way, your zone-redundant data is also secure from regional level outage.
Geo-zone
Redundant
Storage
Azure Storage Redundancy
Read-access geo-zone-redundant storage
Read-access geo-zone-redundant storage (RA-GZRS) uses the same replication
method as GZRS but lets you read from the secondary region. If you want to read
the data that's replicated to the secondary region, even if your primary isn't
experiencing downtime, use RA-GZRS for your replication type.
Azure Storage Redundancy
Paired regions
A paired region is where an Azure region is paired with another in the same
geographical location to protect against regional outage. Paired regions are used
with GRS and GZRS replication types.
Replication options for Azure Storage
Azure Storage Redundancy
Azure Storage Redundancy
Exercise to check your knowledge

https://docs.microsoft.com/en-us/learn/modules/provide-disaster-recovery-
replicate-storage-data/6-knowledge-check
 Storage Account

Manage Data

Microsoft Azure
Data Security
Storage

Data Replication

Manage Access
Storage Account Keys
Shared keys are called storage account keys. Azure creates two of these keys
(primary and secondary) for each storage account you create. The keys give access
to everything in the account.

▪ For security reasons, you might regenerate keys periodically.

▪ If someone hacks into an application and gets the key that was hard-coded or
saved in a configuration file, regenerate the key. The compromised key can give
the hacker full access to your storage account.
▪ If your team is using a Storage Explorer application that keeps the storage
account key, and one of the team members leaves, regenerate the key.
Otherwise, the application will continue to work, giving the former team
member access to your storage account.
Shared Access Signatures
For untrusted clients, use a shared access signature (SAS). A shared access
signature is a string that contains a security token that can be attached to a URI.
Use a shared access signature to delegate access to storage objects and specify
constraints, such as the permissions and the time range of access
Blob Storage ▪ Azure Blob storage is Microsoft's object storage
solution for the cloud. Blob storage is optimized for
storing massive amounts of unstructured data, such
as text or binary data. It has no restrictions on the
kinds of data it can hold.

▪ You can use Blob Storage to expose data publicly to

the world, or to store application data privately.

▪ The blob service includes:

▪ Blobs, which are the data objects of any type
▪ Containers, which wrap multiple blobs together
▪ Azure storage account, which contains all of your Azure
storage data objects
Blob Storage
Blob storage is ideal for:
▪ Serving images or documents directly to a browser
▪ Storing files for distributed access
▪ Streaming video and audio
▪ Storing data for backup and restore, disaster
recovery, and archiving
▪ Storing data for analysis by an on-premises or
Azure-hosted service
Blob Categories Block blobs: These are blobs that are intended to store discrete
objects such as images, log files and more. Block blobs can
store data up to ~5TB, or 50,000 blocks of up to 100MB each.

Page blobs: These are optimized for random read and write
operations and can grow up to 8TB in size. Within the page
blob category, Azure offers two types of storage: standard and
premium. The latter is the most ideal for virtual machine (VM)
storage disks (including the operating system disk).

Append Blobs: Optimized for append scenarios like log storage,

append blogs are composed of several blocks of different sizes
— up to a maximum of 4MB. Each append blob can hold up to
50,000 blocks, therefore allowing each append blob to grow up
to 200GB.
Blob Storage Tiers
Hot Access Tier: Out of the three options, the hot access tier is
the most optimized for data that is accessed frequently. It
offers the lowest access (read-write) cost, but the highest
storage cost.

Cool Access Tier: This option is better suited for use cases
where data will remain stored for at least 30 days and is not
accessed frequently. Compared to hot access tiers, this tier
offers lower storage costs and higher access costs.

Archive Access Tier: Archive storage is designed for data that

doesn’t need to be accessed immediately. This tier offers
higher data retrieval costs, and also higher data access latency.
It is designed for use cases where data will be stored for more
than 180 days and is rarely accessed.
https://docs.microsoft.com/en-
us/azure/security/fundamentals/p
hysical-security
Encryption at Rest

All data written to Azure Storage is automatically

encrypted by Storage Service Encryption (SSE)

SSE automatically encrypts data when writing it to

Azure Storage.

When you read data from Azure Storage, Azure

Storage decrypts the data before returning it.

This process incurs no additional charges and

doesn't degrade performance. It can't be disabled.
Application Demo
File Share

QA Team

Development Team DevOps Team

Software Installer
//ABC-Corps/softwares

This Photo by Unknown Author is licensed under CC BY-SA

Azure Files

Azure Files provides a cloud-based file share

for storing and sharing files. You then access
these files from applications hosted in Azure
App Service, an Azure VM, or an on-premises
machine.

QA Team

Development Team DevOps Team

Software Installers
Azure Files ▪ Azure Files stores and shares file access between
applications and systems in a secure and failure-
resilient manner.

▪ Azure Files enables you to set up highly available

network file shares that can be accessed by using
the standard Server Message Block (SMB) protocol.

▪ Multiple VMs can share the same files with both

read and write access.

▪ One can access the files from anywhere in the world

using a URL that points to the file and includes a
shared access signature (SAS) token.
How to mount
Azure File Share
Azure Files File shares can be used for many common
scenarios:

▪ Many on-premises applications use file shares. This

feature makes it easier to migrate those
applications that share data to Azure.

▪ Configuration files can be stored on a file share and

accessed from multiple VMs.

▪ Resource logs, metrics, and crash dumps are just

three examples of data that can be written to a file
share and processed or analyzed later.
Azure Files – Storage Tiers
To allow you to tailor your shares to the performance and price requirements of your scenario, Azure Files offers
four different tiers :

Premium: Premium file shares are backed by solid-state drives (SSDs) and provide consistent high performance and
low latency.

Transaction optimized: Transaction optimized file shares enable transaction heavy workloads
that don't need the latency offered by premium file shares.

Hot: Hot file shares offer storage optimized for general purpose file sharing scenarios such as team shares. This uses
standard storage hardware backed by HDDs.

Cool: Cool file shares offer cost-efficient storage optimized for online archive storage scenarios. This uses standard
storage hardware backed by HDDs.
Queue Storage
The Azure Queue service is used to store and retrieve messages. Queue messages can be up to
64 KB in size, and a queue can contain millions of messages. Queues are generally used to store
lists of messages to be processed asynchronously.
Table Storage
Azure Table storage is a service that stores structured NoSQL data in the cloud, providing a
key/attribute store with a schema-less design. Because Table storage is schema-less, it's easy to
adapt your data as the needs of your application evolve.
Disk storage
An Azure managed disk is a virtual hard disk (VHD). You can think of it like a
physical disk in an on-premises server but, virtualized. Azure-managed disks
are stored as page blobs, which are a random IO storage object in Azure.

We call a managed disk 'managed' because it is an abstraction over page blobs,

blob containers, and Azure storage accounts. With managed disks, all you have
to do is provision the disk, and Azure takes care of the rest.
Disk storage
✓ Disk storage provides disks for virtual machines, applications, and other
services to access and use as they need

✓ A disk can be attached to only 1 VM at a time

✓ Persistent, highly-secure, cost-effective SSD option

✓ lift and shift of applications that read and write data to persistent disks
Different ways to connect to your storage
account

▪ Add resources by using Azure Active Directory (Azure AD)

▪ Use a connection string
▪ Use a shared access signature URI
▪ Use a name and key
▪ Attach to a local emulator
▪ Attach to Azure Cosmos DB through a connection string
▪ Attach to Azure Data Lake by using a URI
 Agenda:
PowerShell
▪ Basic of Az.Storage module
interaction with
Azure Storage ▪ Create a new storage account using PowerShell
▪ Storage Context
▪ Operations related to Container
▪ Operations related to Blobs
▪ Perform Cleanup

Download and install Az module in your PowerShell

Install-Module -Name Az -AllowClobber
 AzCopy is a command-line utility that you can use to copy
AzCopy blobs or files to or from a storage account.

https://docs.microsoft.com/en-
us/azure/storage/common/storage-use-azcopy-
v10?toc=%2fazure%2fstorage%2fblobs%2ftoc.json

1.) Download & extract azcopy

2.) Set Environment Variables

3.) azcopy login --tenant-id <<your_tenant_id>>

4.) Perform Various Copy Operations

Azure Storage Explorer

Storage Explorer is a GUI application developed by Microsoft to simplify access to, and the
management of, data stored in Azure storage accounts. Storage Explorer is available on
Windows, macOS, and Linux.

Some of the benefits of using Storage Explorer are:

▪ It's easy to connect to and manage multiple storage accounts.
▪ The interface lets you connect to Azure Cosmos DB and Data Lake.
▪ You can also use the interface to update and view entities in your storage accounts.
▪ Storage Explorer is free to download and use.
Thank You
Problem Statement
• You're an administrator for an architecture firm. The firm
stores computer-aided design (CAD) files locally on a
Windows Server file share. These CAD files are so large
that your on-premises file share is nearly at capacity.

• The organization needs quick access to the CAD files that

are used most frequently. The system can tolerate some
network latency for the files that are used less frequently
Azure File Sync
• Azure File Sync allows you to extend your on-premises file
shares into Azure.

• It works with your existing on-premises file shares to

expand your storage capacity and provide redundancy in
the cloud. It requires Windows Server 2012 R2 or later.

• You can access your on-premises file share with any

supported file sharing protocol that Windows Server
supports, like SMB, NFS, or FTPS.

• https://docs.microsoft.com/en-us/learn/modules/extend-
share-capacity-with-azure-file-sync/
Azure File Sync
Azure File Sync uses your on-premises file server as a local
cache for your Azure file share.
Azure File Sync Registered Server

• A registered server represents the trust relationship

between the on-premises server and the Storage Sync
Service.
• You can register multiple servers to the Storage Sync
Service. But a server can be registered with only one
Storage Sync Service at a time.
Azure File Sync
File Share

Azure File Sync

On-premises file
server
Azure File Sync Sync Group

File Share

Cloud Endpoint

Azure File Sync

Server Endpoint

On-premises file
server
Azure File Sync
A sync group outlines the replication topology for
a set of files or folders. All endpoints located in the
same sync group are kept in sync with each other.

Server endpoint represents a specific location on a

registered server, like a folder on a local disk.
Multiple server endpoints can exist on the same
volume if their paths don't overlap.

Cloud endpoint is the Azure file share that's part

of a sync group. The whole file share syncs and
can be a member of only one cloud endpoint. An
Azure file share can be a member of only one sync
group at a time.
Azure Files Storage
Q) The manufacturing company's finance department wants to control how the
data is being transferred to Azure Files. They want a graphical tool to manage the
process, but they don't want to use the Azure portal. What tool do you
recommend they use?

✓Azure Data Box

✓Robocopy

✓Azure Storage Explorer

Check your knowledge Azure Files Sync
You've been asked by a local manufacturing company that runs dedicated software in their warehouse
to keep track of stock. The software needs to run on machines in the warehouse, but the management
team wants to access the output from the head office. The limited bandwidth available in the
warehouse caused them problems in the past when they tried to use cloud-based solutions. You
recommend that they use Azure Files. Which is the best method to sync the files with the cloud?

A.) Create an Azure Files share and directly mount shares on the machines in the warehouse.

B.) Use a machine in the warehouse to host a file share, install Azure File Sync, and share a drive with
the rest of the warehouse.

C.) Install Azure File Sync on every machine in the warehouse and head office.

Answer: B
Azure Storage : Security Features
Protect Protect the data at rest

Protect Protect the data in transit

Support Support browser cross-domain access

Control Control who can access data

Audit Audit storage access

Azure Files Storage: Security Options
https://docs.microsoft.com/en-us/learn/modules/store-and-share-with-azure-
files/5-secure-azure-files

Secure Az Files
Encryption at Rest
All data written to Azure Storage is automatically encrypted by Storage Service
Encryption (SSE) with a 256-bit Advanced Encryption Standard (AES) cipher, and is
FIPS 140-2 compliant.
SSE automatically encrypts data when writing it to Azure Storage.

When you read data from Azure Storage, Azure Storage decrypts the data before
returning it. This process incurs no additional charges and doesn't degrade
performance. It can't be disabled.

For virtual machines (VMs), Azure lets you encrypt virtual hard disks (VHDs) by
using Azure Disk Encryption. This encryption uses BitLocker for Windows images,
and it uses dm-crypt for Linux.
Encryption in Transit
Keep your data secure by enabling transport-level security between Azure and the
client. Always use HTTPS to secure communication over the public internet.

When you call the REST APIs to access objects in storage accounts, you can enforce
the use of HTTPS by requiring secure transfer for the storage account. After you
enable secure transfer, connections that use HTTP will be refused.

This flag will also enforce secure transfer over SMB by requiring SMB 3.0 for all file
share mounts.
Role-Based Access Control
Azure Storage supports Azure Active Directory and role-based access control
(RBAC) for both resource management and data operations.
To security principals, you can assign RBAC roles that are scoped to the storage
account. Use Active Directory to authorize resource management operations, such
as configuration. Active Directory is supported for data operations on Blob and
Queue storage.

To a security principal or a managed identity for Azure resources, you can assign
RBAC roles that are scoped to a subscription, a resource group, a storage account,
or an individual container or queue.
CORS Support
Contoso stores several website asset types in Azure Storage. These types include
images and videos. To secure browser apps, Contoso locks GET requests down to
specific domains.
Azure Storage supports cross-domain access through cross-origin resource sharing
(CORS). CORS uses HTTP headers so that a web application at one domain can
access resources from a server at a different domain. By using CORS, web apps
ensure that they load only authorized content from authorized sources.

CORS support is an optional flag you can enable on Storage accounts. The flag adds
the appropriate headers when you use HTTP GET requests to retrieve resources
from the Storage account.
Auditing Access
Auditing is another part of controlling access. You can audit Azure Storage access
by using the built-in Storage Analytics service.

Storage Analytics logs every operation in real time, and you can search the Storage
Analytics logs for specific requests. Filter based on the authentication mechanism,
the success of the operation, or the resource that was accessed.
Azure Storage Security
https://docs.microsoft.com/en-us/azure/storage/blobs/security-recommendations
Check your knowledge
https://docs.microsoft.com/en-us/learn/modules/secure-azure-storage-
account/8-summary
Azure Storage Monitoring
Azure Blob storage creates monitoring data by using Azure Monitor, which is a full
stack monitoring service in Azure.
Azure Monitor provides a complete set of features to monitor your Azure
resources and resources in other clouds and on-premises.

https://docs.microsoft.com/en-us/azure/storage/blobs/monitor-blob-
storage?tabs=azure-portal
Data
Protection
‘’Who so ever has come to this world, will surely go one day. This is the
process of life.”

“Everything has a lifecycle. You have to believe it’s going to change.”

 Data
Lifecycle

This Photo by Unknown Author is licensed under CC BY-ND

Lifecycle
Management Azure Blob Storage lifecycle management offers a
rich, rule-based policy for GPv2 and blob storage
accounts.

Use the policy to transition your data to the

appropriate access tiers or expire at the end of the
data's lifecycle.

Hot Cool Archive Delete

0 days 30 days 180 days 500 days

Azure Blob Storage Life Cycle Management

Lifecycle The lifecycle management policy lets you:

Management
▪ Transition blobs from cool to hot immediately if
accessed to optimize for performance
▪ Transition blobs, blob versions, and blob snapshots to a
cooler storage tier (hot to cool, hot to archive, or cool
to archive) if not accessed or modified for a period of
time to optimize for cost
▪ Delete blobs, blob versions, and blob snapshots at the
end of their lifecycles
▪ Define rules to be run once per day at the storage
account level
▪ Apply rules to containers or a subset of blobs (using
name prefixes or blob index tags as filters)
Thank You