Explore Azure Blob Storage

Question 1

What is blob storage?

Answer 1

• Storage that is optimised for storing massive amounts of unstructured data
• Data that doesn’t adhere to a particular data model or definition such as text or binary

Question 2

What is blob storage designed for?

Answer 2

• serving images or docs directly to browser
• string files for distributed access
• Streaming video and audio
• writing to log files
• storing data for backup and restore, recovery and archiving

Question 3

How can blobs be accessed?

Answer 3

• via HTTP/HTTPs
• Azure storage REST API, powershell, CLI or AZ client library

Question 4

What is a storage account?

Answer 4

• top level container for all blob storage
• provides a unique namespace for your storage data that is accessible from anywhere in the world over HTTP/S

Question 5

What is the standard storage account type?

Answer 5

general purpose V2, recommended for most scenarios

Question 6

What is the premium storage account type?

Answer 6

• Higher performance than standard by using SSDs
• 3 subtypes; block blob, page blob, or file share

Question 7

What is block blob?

Answer 7

• Type of premium storage account used for block blobs and append blobs
• good for scenarios with high transaction rates or that use smaller objects or require consistently low storage latency

Question 8

What is the base address for objects in your ST?

Answer 8

• every object stored in AZ storage has an address that includes unique account name
• combination of account name and azure storage blob endpoint forms base address for objects in SA

Question 9

What are the different storage access tiers?

Answer 9

• Hot = frequent access, high storage low access costs, default option
• cool = infrequent access (stored for 30 days), optimised for large data, lower storage and higher access costs
• cold = infrequent access (min of 90 days), lower storage and higher access costs
• archive = for individual block blobs, infrequent access that can take several hours of retrieval time and remains in archive tier for at least 180 days, cost efficient but expensive access costs

Question 10

What is a container?

Answer 10

• organises a set of blobs, similar to directory in file system
• SA can include an unlimited number of containers and a container can store an unlimited number of blobs
• must have valid DNS name
• between 3-63 chars, alphanumeric, lowercase, can have a hyphen but not two in a row

Question 11

What are the blob types supported by AZ storage?

Answer 11

• Block Blobs = text or binary data made up of blocks of data that can be managed individually, up to 190.7 TiB
• Append Blobs = blocks like block blobs but optimised for append operations, ideal for logging data from VMs
• Page blobs = store random access files up to 8TB in size, virtual hard drive files serve as disks for azure VMs

Question 12

What security features does AZ storage provide?

Answer 12

• All data written is auto encrypted using Storage Service Encryption (SSE)
• data can be secured in transit between app and azure using client side encryption, HTTPs or SMB 3.0
• OS and data disks used by Azure VMs can be encrypted using Azure disk encryption
• Delegated access to the data objects in storage can be granted using a shared access signature

Question 13

How does RBAC work with Azure Storage?

Answer 13

• You can assign RBAC roles scoped to the SA to security principals and use Entra ID to authorize resource management operations such as key mgmt
• Entra integration is supported for blob and queue data operations
• You can assign RBAC roles scoped to a sub, rg, SA, or individual container/queue to a security principal or managed ID for azure resources

Question 14

What type of keys can be used on storage accounts?

Answer 14

• Microsoft Managed keys
• customer managed key = used to encrypt all data in all services in SA
• customer provided key = gives granular control over how blob data is encrypted

Question 14

What are microsoft managed keys?

Answer 14

• supports all AZ storage services and the Microsoft key store
• Microsoft is responsible for key rotation, usage and access

Question 14

How does azure encrypt data?

Answer 14

• auto encrypted when persisting to the cloud
• encrypted and decrypted using 256-bit AES encryption and its FIPs 140-2 compliant
• enabled for all new and existing storage accounts and cant be disabled
• no code modifications needed
• all resources encrypted at no cost regardless of payment tier

Question 15

What are customer managed keys

Answer 15

• supports blob storage and azure files alongside AZ key vault
• key rotation is responsibility of customer
• key is used by the portal, storage REST API, storage mgmgt libraries, PS and CLI
• Both Microsoft and customer have access to the key

Question 16

What are customer provided keys

Answer 16

• Supports blob storage alongside key vault or any other key store
• key rotation is responsibility of customer
• key is used by storage REST API and storage client libraries
• only customer has access to the key

Question 17

What is $web?

Answer 17

• container that allows you to serve static HTML content
• enables you to use serverless architecture that includes AZ functions and other PaaS services
• great option in cases where you don’t require a web server to render content
• limited in that you cant configure headers without Azure CDN

Question 18

How do we enable $web?

Answer 18

• need to be enabled on storage account
• when enabled the container is auto created
• on portal visit the static website tab inside a storage account

Question 19

How does access level work with the $web container and the content it hosts?

Answer 19

• You can modify the access level of the container but it has no impact on the primary static website endpoint as these files are served through anon access requests meaning public (read-only) access to all files
• it does impact primary blob service endpoint though

Question 20

Can we enable HTTPs on static site hosted in $web container?

Answer 20

• Yes but you have to use Azure CDN