Azure Storage Flashcards
Container (blob) storage
Object storage solution for the cloud.
Optimized for massive amounts of unstructured data.
Can be accessed directly from anywhere in the world via HTTP or HTTPS (URLs, Azure Storage REST API, Azure PowerShell, Azure CLI, Azure Storage Client library)
Azure Files
highly available network file shares.
can be accessed by using the standard Server Message Block (SMB) protocol.
can be accessed from anywhere in the world using a URL and shared access signature (SAS) token.
Queue Storage
service used to store and retrieve messages.
Queue messages can be up to 64kb in size and a queue can contains millions of messages.
Used to store lists of messages to be processed asynchronously.
Table storage
Azure Table storage is now part of Azure Cosmos DB.
Recommended usage for Standard general-purpose v2 Storage account
most scenarios including Blob, File, Queue, Table and Data Lake storage.
Premium block blobs storage account recommended usage
Block blob scenarios with high transaction rates, OR smaller objects OR consistently low storage
Premium file shares storage account recommended usage
enterprise or high-performance file share applications
Premium page blobs storage account recommended usage
Premium high-performance page blob scenarios
Locally redundant storage (LRS) - cost, fault-tolerance ,use cases
Lowest-cost replication option.
all replicas may be lost or unrecoverable if a datacenter-level disaster occurs.
application stores data that can easily be reconstructed if data loss occurs
Zone redundant storage (ZRS)
replicates data across (3) storage clusters in a single region.
each cluster is physically separated from the others (own availability zone)
not available in all regions.
Geo-Redundant storage
Replicates data to a secondary region.
Can withstand region level faults!
16 9s of durability (99.99999999999999%)
GRS vs RA-GRS storage
GRS: data in secondary regions is only available to be read if Microsoft initiates a failover from primary to secondary region.
RA-GRS : data in secondary region is read available regardless of failover initiation
Geo-zone redundant storage
Data is replicated across three availability zones in the primary region and also replicated to a secondary region.
combines the high-availability of ZRS with protection from regional outages provided by GRS.
Storage access
every object that you store in Azure Storage has a unique URL address.
subdomain(storage account name)+domain forms an endpoint.
The default endpoints for your storage account are:
Container service: //mystorageaccount.blob.core.windows.net
Table service: //mystorageaccount.table.core.windows.net
Queue service: //mystorageaccount.queue.core.windows.net
File service: //mystorageaccount.file.core.windows.net
Blob service resource hierarchy
The storage account
Containers in storage account
Blobs in a container
Blob lifecycle management rules
The lifecycle management policy lets you:
Transition blobs to a cooler storage tier (hot to cool, hot to archive, or cool to archive) to optimize for performance and cost. Delete blobs at the end of their lifecycles. Define rules to be run once per day at the storage account level. Apply rules to containers or a subset of blobs.
Blob object replication
Object replication asynchronously copies block blobs in a container according to rules that you configure.
Azure storage security capabilities (Encryption)
Encryption. All data written to Azure Storage is automatically encrypted using Storage Service Encryption (SSE).
Authorization options.
With Azure AD, you can assign fine-grained access to users, groups, or applications via role-based access control (RBAC).
Shared Key. Shared Key authorization relies on your account access keys and other parameters to produce an encrypted signature string that is passed on the request in the Authorization header.
Shared access signatures. Shared access signatures (SAS) delegate access to a particular resource in your account with specified permissions and over a specified time interval.
Anonymous access to containers and blobs. You can optionally make blob resources public at the container or blob level. A public container or blob is accessible to any user for anonymous read access. Read requests to public containers and blobs do not require authorization.
Shared Access Signatures (SAS)
A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources.
By distributing a SAS URI to these clients, you grant them access to a resource for a specified period of time.
SAS is a secure way to share your storage resources without compromising your account keys.
SAS: account-level and storage level control.
The account-level SAS delegates access to resources in one or more of the storage services.
The service-level SAS delegates access to a resource in just one of the storage services.
URI and SAS parameters
Resource URI: https://myaccount.blob.core.windows.net/?restype=service&comp=properties (blob service endpoint)
Storage Services Version: sv=2015-04-05
Services: ss=bf (applies to blob and file services)
Resource Types: srt=s (service level operations)
Start Time: st=2015-04-29T22%3A18%3A26Z (UTC time)
Expiry Time: se=2015-04-30T02%3A23%3A26Z (UTC Time)
Resource: sr=b (resource is a blob)
Permissions: sp=rw (read write permissions)
IP Range: sip=168.1.5.60-168.1.5.70 (range of accepted addresses)
Protocol: spr=https (only requests using HTTPS are permitted)
Signature: sig=F%6GRVAZ5Cdj2Pw4tgU7IlSTkWgn7bUkkAg8P6HESXwmf%4B (used to authenticate access to the blob)
https://myaccount.blob.core.windows.net/?restype=service&comp=properties&sv=2015-04-05&ss=bf&srt=s&st=2015-04-29T22%3A18%3A26Z&se=2015-04-30T02%3A23%3A26Z&sr=b&sp=rw&sip=168.1.5.60-168.1.5.70&spr=https &sig=F%6GRVAZ5Cdj2Pw4txxxxx
Azure Storage Service Encryption
SSE automatically encrypts your data before persisting it to Azure-managed Disks, Azure Blob, Queue, Table storage, or Azure Files, and decrypts the data before retrieval.
Customer managed keys
give you more flexibility and control. You can create, disable, audit, rotate, and define access controls.
SAS risks
If a SAS is compromised, it can be used by anyone who obtains it.
If a SAS provided to a client application expires and the application is unable to retrieve a new SAS from your service, then the application’s functionality may be hindered.
SAS best practices
Always use HTTPS to create or distribute a SAS
Reference stored access policies where possible.
Have clients automatically renew the SAS if necessary
Use near-term expiration times on an unplanned SAS
Be specific with the resource to be accessed.
Validate data written using SAS.
Azure Files vs Blobs
Azure files are true directory objects. Azure blobs are a flat namespace.
Azure files are accessed through file shares. Azure blobs are accessed through a container.
Azure files provide shared access across multiple virtual machines. Azure disks are exclusive to a single virtual machine.
Azure files: common usage
Replace and supplement. Azure Files can be used to completely replace or supplement traditional on-premises file servers or NAS devices.
Access anywhere. Popular operating systems such as Windows, macOS, and Linux can directly mount Azure File shares wherever they are in the world.
Lift and shift. Azure Files makes it easy to “lift and shift” applications to the cloud that expect a file share to store file application or user data.
Azure File Sync. Azure File shares can also be replicated with Azure File Sync to Windows Servers, either on-premises or in the cloud, for performance and distributed caching of the data where it’s being used.
Shared applications. Storing shared application settings, for example in configuration files.
Diagnostic data. Storing diagnostic data such as logs, metrics, and crash dumps in a shared location.
Tools and utilities. Storing tools and utilities needed for developing or administering Azure virtual machines or cloud services.
File share snapshots
share snapshots capture a point in time, read-only copy of your data
Azure Files: When to use Share snapshots
Protection against application error and data corruption.
Protection against accidental deletions or unintended changes.
General backup purposes.
Azure Storage Security Capabilities (Authentication)
Authentication. Azure Active Directory (Azure AD) and Role-Based Access Control (RBAC) are supported for Azure Storage for both resource management operations and data operations:
Azure Storage Security Capabilities (Data in Transit)
Data in transit. Data can be secured in transit between an application and Azure by using Client-Side Encryption, HTTPS, or SMB 3.0.
Azure Storage Security Capabilities (Disk Encryption)
Disk encryption. OS and data disks used by Azure virtual machines can be encrypted using Azure Disk Encryption.
Azure Storage Security Capabilities (Shared Access Signatures)
Shared Access Signatures. Delegated access to the data objects in Azure Storage can be granted using Shared Access Signatures
