Azure Storage

Question 1

Container (blob) storage

Answer 1

Object storage solution for the cloud.

Optimized for massive amounts of unstructured data.

Can be accessed directly from anywhere in the world via HTTP or HTTPS (URLs, Azure Storage REST API, Azure PowerShell, Azure CLI, Azure Storage Client library)

Question 2

Azure Files

Answer 2

highly available network file shares.

can be accessed by using the standard Server Message Block (SMB) protocol.

can be accessed from anywhere in the world using a URL and shared access signature (SAS) token.

Question 3

Queue Storage

Answer 3

service used to store and retrieve messages.

Queue messages can be up to 64kb in size and a queue can contains millions of messages.

Used to store lists of messages to be processed asynchronously.

Question 4

Table storage

Answer 4

Azure Table storage is now part of Azure Cosmos DB.

Question 5

Recommended usage for Standard general-purpose v2 Storage account

Answer 5

most scenarios including Blob, File, Queue, Table and Data Lake storage.

Question 6

Premium block blobs storage account recommended usage

Answer 6

Block blob scenarios with high transaction rates, OR smaller objects OR consistently low storage

Question 7

Premium file shares storage account recommended usage

Answer 7

enterprise or high-performance file share applications

Question 8

Premium page blobs storage account recommended usage

Answer 8

Premium high-performance page blob scenarios

Question 9

Locally redundant storage (LRS) - cost, fault-tolerance ,use cases

Answer 9

Lowest-cost replication option.

all replicas may be lost or unrecoverable if a datacenter-level disaster occurs.

application stores data that can easily be reconstructed if data loss occurs

Question 10

Zone redundant storage (ZRS)

Answer 10

replicates data across (3) storage clusters in a single region.

each cluster is physically separated from the others (own availability zone)

not available in all regions.

Question 11

Geo-Redundant storage

Answer 11

Replicates data to a secondary region.

Can withstand region level faults!

16 9s of durability (99.99999999999999%)

Question 12

GRS vs RA-GRS storage

Answer 12

GRS: data in secondary regions is only available to be read if Microsoft initiates a failover from primary to secondary region.

RA-GRS : data in secondary region is read available regardless of failover initiation

Question 13

Geo-zone redundant storage

Answer 13

Data is replicated across three availability zones in the primary region and also replicated to a secondary region.

combines the high-availability of ZRS with protection from regional outages provided by GRS.

Question 14

Storage access

Answer 14

every object that you store in Azure Storage has a unique URL address.

subdomain(storage account name)+domain forms an endpoint.

The default endpoints for your storage account are:
Container service: //mystorageaccount.blob.core.windows.net
Table service: //mystorageaccount.table.core.windows.net
Queue service: //mystorageaccount.queue.core.windows.net
File service: //mystorageaccount.file.core.windows.net

Question 15

Blob service resource hierarchy

Answer 15

The storage account

Containers in storage account

Blobs in a container

Question 16

Blob lifecycle management rules

Answer 16

The lifecycle management policy lets you:

Transition blobs to a cooler storage tier (hot to cool, hot to archive, or cool to archive) to optimize for performance and cost.
Delete blobs at the end of their lifecycles.
Define rules to be run once per day at the storage account level.
Apply rules to containers or a subset of blobs.

Question 17

Blob object replication

Answer 17

Object replication asynchronously copies block blobs in a container according to rules that you configure.

Question 18

Azure storage security capabilities (Encryption)

Answer 18

Encryption. All data written to Azure Storage is automatically encrypted using Storage Service Encryption (SSE).

Question 19

Authorization options.

Answer 19

With Azure AD, you can assign fine-grained access to users, groups, or applications via role-based access control (RBAC).

Shared Key. Shared Key authorization relies on your account access keys and other parameters to produce an encrypted signature string that is passed on the request in the Authorization header.

Shared access signatures. Shared access signatures (SAS) delegate access to a particular resource in your account with specified permissions and over a specified time interval.

Anonymous access to containers and blobs. You can optionally make blob resources public at the container or blob level. A public container or blob is accessible to any user for anonymous read access. Read requests to public containers and blobs do not require authorization.

Question 20

Shared Access Signatures (SAS)

Answer 20

A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources.

By distributing a SAS URI to these clients, you grant them access to a resource for a specified period of time.

SAS is a secure way to share your storage resources without compromising your account keys.

Question 21

SAS: account-level and storage level control.

Answer 21

The account-level SAS delegates access to resources in one or more of the storage services.

The service-level SAS delegates access to a resource in just one of the storage services.

Question 22

URI and SAS parameters

Answer 22

Resource URI: https://myaccount.blob.core.windows.net/?restype=service&comp=properties (blob service endpoint)

Storage Services Version: sv=2015-04-05

Services: ss=bf (applies to blob and file services)

Resource Types: srt=s (service level operations)

Start Time: st=2015-04-29T22%3A18%3A26Z (UTC time)

Expiry Time: se=2015-04-30T02%3A23%3A26Z (UTC Time)

Resource: sr=b (resource is a blob)

Permissions: sp=rw (read write permissions)

IP Range: sip=168.1.5.60-168.1.5.70 (range of accepted addresses)

Protocol: spr=https (only requests using HTTPS are permitted)

Signature: sig=F%6GRVAZ5Cdj2Pw4tgU7IlSTkWgn7bUkkAg8P6HESXwmf%4B (used to authenticate access to the blob)

https://myaccount.blob.core.windows.net/?restype=service&comp=properties&sv=2015-04-05&ss=bf&srt=s&st=2015-04-29T22%3A18%3A26Z&se=2015-04-30T02%3A23%3A26Z&sr=b&sp=rw&sip=168.1.5.60-168.1.5.70&spr=https &sig=F%6GRVAZ5Cdj2Pw4txxxxx

Question 23

Azure Storage Service Encryption

Answer 23

SSE automatically encrypts your data before persisting it to Azure-managed Disks, Azure Blob, Queue, Table storage, or Azure Files, and decrypts the data before retrieval.

Question 24

Customer managed keys

Answer 24

give you more flexibility and control. You can create, disable, audit, rotate, and define access controls.

Question 25

SAS risks

Answer 25

If a SAS is compromised, it can be used by anyone who obtains it.

If a SAS provided to a client application expires and the application is unable to retrieve a new SAS from your service, then the application’s functionality may be hindered.

Question 26

SAS best practices

Answer 26

Always use HTTPS to create or distribute a SAS

Reference stored access policies where possible.

Have clients automatically renew the SAS if necessary

Use near-term expiration times on an unplanned SAS

Be specific with the resource to be accessed.

Validate data written using SAS.

Question 27

Azure Files vs Blobs

Answer 27

Azure files are true directory objects. Azure blobs are a flat namespace.

Azure files are accessed through file shares. Azure blobs are accessed through a container.

Azure files provide shared access across multiple virtual machines. Azure disks are exclusive to a single virtual machine.

Question 28

Azure files: common usage

Answer 28

Replace and supplement. Azure Files can be used to completely replace or supplement traditional on-premises file servers or NAS devices.

Access anywhere. Popular operating systems such as Windows, macOS, and Linux can directly mount Azure File shares wherever they are in the world.

Lift and shift. Azure Files makes it easy to “lift and shift” applications to the cloud that expect a file share to store file application or user data.

Azure File Sync. Azure File shares can also be replicated with Azure File Sync to Windows Servers, either on-premises or in the cloud, for performance and distributed caching of the data where it’s being used.

Shared applications. Storing shared application settings, for example in configuration files.

Diagnostic data. Storing diagnostic data such as logs, metrics, and crash dumps in a shared location.

Tools and utilities. Storing tools and utilities needed for developing or administering Azure virtual machines or cloud services.

Question 29

File share snapshots

Answer 29

share snapshots capture a point in time, read-only copy of your data

Question 30

Azure Files: When to use Share snapshots

Answer 30

Protection against application error and data corruption.

Protection against accidental deletions or unintended changes.

General backup purposes.

Question 31

Azure Storage Security Capabilities (Authentication)

Answer 31

Authentication. Azure Active Directory (Azure AD) and Role-Based Access Control (RBAC) are supported for Azure Storage for both resource management operations and data operations:

Question 32

Azure Storage Security Capabilities (Data in Transit)

Answer 32

Data in transit. Data can be secured in transit between an application and Azure by using Client-Side Encryption, HTTPS, or SMB 3.0.

Question 33

Azure Storage Security Capabilities (Disk Encryption)

Answer 33

Disk encryption. OS and data disks used by Azure virtual machines can be encrypted using Azure Disk Encryption.

Question 34

Azure Storage Security Capabilities (Shared Access Signatures)

Answer 34

Shared Access Signatures. Delegated access to the data objects in Azure Storage can be granted using Shared Access Signatures