Implement and manage storage in Azure Flashcards
What is Microsoft’s Cloud Storage solution?
Azure Storage
What types of objects can be stored in Azure storage?
Files, messages, tables, and other types of information.
What are the 3 data structures that Azure Storage supports?
Structured data, unstructured data, and virtual machine data.
Define ‘Virtual machine data’
Disks and files.
Describe how a VM uses a virtual disk
Persistent block storage for Azure IaaS virtual machines; Store data like database files, website static content, or custom application code.
Describe how Virtual machine data files are managed
Fully managed file shares in the cloud.
Describe the format of ‘Unstructured data’
The format of unstructured data is referred to as nonrelational.
What two Azure Storage services are used to store unstructured data?
Azure Blob Storage and Azure Data Lake Storage.
Describe ‘Structured data’
Stored in a relational format; Often contained in a database table with rows, columns, and keys.
What are the 3 Azure storage services that store structured data?
Azure Table Storage, Azure Cosmos DB, and Azure SQL Database.
Define ‘Azure Cosmos DB’
Globally distributed database service.
Define ‘Azure SQL Database’
Fully managed database-as-a-service built on SQL.
What are the two tiers of general purpose Azure Storage?
Standard and Premium.
Describe the standard tier of general purpose azure storage
Data is stored on HDDs; A standard storage account provides the lowest cost per GB.
Describe the premium tier azure storage
Data is stored on SSDs; Offers consistent low-latency performance.
How can resiliency be ensured with Azure storage?
Configuring data replication across datacenters or geographical regions for protection.
Does Azure storage encrypt all data?
Yes.
What are the four data services offered by Azure Storage?
- Azure Blob Storage (containers)
- Azure Files
- Azure Queue Storage
- Azure Table Storage
Describe the purpose of ‘Azure Blob Storage (containers)’
For storing large amounts of unstructured/nonrelational data.
What is blob storage ideal for?
Serving content to a web app; Storing data for backup/analysis; Videos/Text/Images/Installers.
How can Azure blob storage be accessed?
Via HTTP(s)/Azure Shell; Shared access signature (SAS); API; Shared key
Describe Azure Files and how it can be accessed
Enables highly available network file shares; Shares can be accessed via SMB and NFS protocol.
What is Azure Files ideal for?
Applications (containers) and their data; Storing config files accessed by VMs; Logs; Migrating data.
Describe the purpose of ‘Azure Queue Storage’
Used to store and retrieve messages.
What typeof data is stored with ‘Azure Table Storage’?
Stores non-relational structured data (NoSQL).
List the four Azure storage account options/SKUs
- Standard/premium general-purpose v2
- Premium block blobs
- Premium file shares
- Premium page blobs
What types of data can be stored with the ‘General-purpose v2’ Azure storage account type/SKU
Can be used for most scenarios; blobs, file shares, queues, tables, and disks (page blobs).
What types of data is stored with ‘Premium block blobs’ Azure storage account type/SKU?
Block blobs and append blobs only; Recommended for applications with high transaction rates.
Describe the ‘Premium file shares’ Azure storage account type
For file shares only; Recommended for enterprise or high-performance scale applications.
What types of data can be stored with ‘Premium page blobs’ Azure storage account type/SKU?
Page blobs only; Operating systems, data disks for virtual machines, and databases.
What are the four replication services offered by Azure Storage?
- Locally redundant storage (LRS)
- Zone redundant storage (ZRS)
- Geo-redundant storage (GRS)
- Geo-zone-redundant storage (GZRS)
Describe ‘Locally redundant storage (LRS)’
Replicates data within the same datacenter; Lowest-cost replication option and offers the least durability compared to others.
What are best use cases for Locally redundant storage (LRS)?
Data replication is restricted within a country/region due to data governance requirements; Storing frequently changed data.
Describe ‘Zone redundant storage (ZRS)’
Synchronously replicates your data across three availability zones in a single region.
Describe ‘Geo-redundant storage (GRS)’
Replicates your data to a secondary region to offer redundancy during a region outage.
What is the guaranteed SLA of Geo-redundant storage (GRS)?
99.99999999999999% (16 9’s) durability.
What are the two forms of Geo-redundant storage (GRS)?
- GRS
- Read-access geo-redundant storage (RA-GRS)
How does Geo-redundant storage (GRS) function in the event of failover?
Data is available to be read only if Microsoft initiates a failover from the primary to secondary region.
How does Read-access geo-redundant storage storage (RA-GRS) function in the event of failover?
Replicates data to another data center in a secondary region.
Can data be accessed without a triggered failover from Microsoft with user Read-access geo-redundant storage storage (RA-GRS)?
Yes; Can read from the secondary region regardless of whether Microsoft initiates a failover from the primary to the secondary.
How does Geo-redundant storage (GRS) and Read-access geo-redundant storage storage (RA-GRS) replicate data between regions?
Data is first replicated with LRS; Then replicated asynchronously to the secondary region by using GRS.
With Geo-redundant storage (GRS) and Read-access geo-redundant storage storage (RA-GRS), how does the secondary region replicate data?
The secondary region provides LRS.
Describe ‘Geo-zone-redundant storage (GZRS)’
Data is replicated across three Azure availability zones in the primary region, and also replicated to a secondary geographic region.
What is the guaranteed SLA of Geo-zone-redundant storage (GZRS)?
99.99999999999999% (16 9’s) durability.
What two Azure storage replication services will provide read-only access during region wide outage?
- RA-GRS
- RA-GZRS
What four Azure storage replication services provide data access in a region wide outage?
- RA-GRS
- RA-GZRS
- GRS
- GZRS
What Azure storage replication service will not provide data access if an entire data center becomes unavailable?
LRS.
What two components does the name of an Azure Storage account consist of?
- Storage account name
- Service domain
What is the default endpoint name of a blob (container) service account?
StorageAccountName.blob.core.windows.net
What is the default endpoint name of a table service account?
StorageAccountName.table.core.windows.net
What is the default endpoint name of a queue service account?
StorageAccountName.queue.core.windows.net
What is the default endpoint name of a file service account?
StorageAccountName.file.core.windows.net
How is data in a storage account accessed by URL?
By appending the objects location in the endpoint URL.
How can storage accounts leverage custom URL domain?
Implement an Azure Content Delivery Network (CDN) to access blobs by using custom domains over HTTPS.
What are the two ways of configuring a custom domain for a subdomain to an Azure storage account?
- Direct mapping
- Intermediary domain mapping
Describe how subdomain ‘Direct mapping’ is configured
Create a CNAME record that points from the subdomain to the Azure storage account.
Describe subdomain ‘Intermediary domain mapping’
Adds a keyword to a subdomain CNAME that’s already in use within Azure.
Describe how Intermediary domain mapping is configured
Prepend the keyword ‘asverify’ to the subdomain in Azure DNS
Where are service endpoints configured for a storage account?
In the storage account.
What is the purpose for configuring a service endpoint for a storage account?
Restrict access to your storage account from specific subnets on virtual networks or public IPs.
Where must the storage account and virtual network be to configure a service endpoint for a storage account?
Subnets and virtual networks must exist in the same Azure region or region pair as the storage account.
Define a ‘Blob’
Blob stands for Binary Large Object.
Where/how is a blob stored?
Stored/Uploaded in a container resource to group a set of blobs; A blob can’t exist by itself in Blob Storage.
What is the maximum amount of blobs that can be stored in a container?
Unlimited.
What is the maximum amount of containers that can be stored in an Azure storage account?
Unlimited.
Can there be duplicate names for a container in a single Azure storage account?
No; The name must be unique within the Azure storage account.
Describe an ‘access tier’ and its purpose
Each access tier for blob storage is optimized to support a particular pattern of data usage.
What are the 4 blob storage access tiers?
- Hot
- Cool
- Cold
- Archive
Describe the ‘Hot’ blob storage access tier
Optimized for frequent reads and writes of objects in the Azure storage account.
What is the best use case for the hot access tier?
For data that is actively being processed.
Describe the overall cost of the hot access tier
Has the lowest access costs, but higher storage costs than the Cool and Archive tiers.
What tier are new Azure storage account placed in by default?
Hot.
Describe the ‘Cool’ blob storage access tier
Optimized for storing large amounts of data that’s infrequently accessed.
What is the best use case for the cool access tier?
For data that remains untouched for at least 30 days; Hot-term backup and disaster recovery datasets and older media content.
Describe the overall cost of the cool access tier
Most cost effective although it has the 2nd highest access costs.
Describe the ‘Cold’ blob storage access tier
This tier is intended for larger amounts of data that can remain un-accessed for at least 90 days.
How long must data in the ‘Archive’ blob storage access tier remain untouched?
Data must remain in the Archive tier for at least 180 days or be subject to an early deletion charge.
What is the best use case for the archive access tier?
Secondary backups, original raw data, and legally required compliance information.
What access tier is the most cost-effective for storing data?
Archive
What access tier is the least cost-effective for accessing data?
Archive
What access tier offers the highest SLA reliability?
Hot access tier
What Blob storage mechanism can be used to help manage data lifecycle?
Lifecycle management rules to determine what tier data should be placed in, and expiration for the data.
What types of storage accounts can use lifecycle management?
GPv2 and Blob Storage accounts.
Can lifecycle management be applied to a container?
Yes.
How can data be automatically moved to a different access tier over its lifecycle?
By creating a lifecycle management rule that can move the data to a different tier based on when it what created or last modified.
Describe ‘blob object replication’
Object replication copies blobs in a container asynchronously according to policy rules that you configure.
List the contents that are copied from the source to the destination during blob object replication
- The blob contents
- The blob metadata and properties
- Any versions of data associated with the blob
What must be enabled on source and destination blob storage accounts/containers to perform blob object replication?
blob versioning.
What type of data is not supported in blob object replication?
VM Snapshots.
What access tiers support blob object replication
Hot, Cool, or Cold tier.
Can source and destination blob storage accounts be in different access tiers when performing blob object replication?
Yes.
What does a blob object replication policy consist of?
One or more rules that specify a source container and a destination container as well as the blobs in the source container to replicate.
List the 3 types of Azure Storage Blobs
- Block blobs
- Append blobs
- Page blobs
Describe a ‘Block blob’
Ideal for storing text and binary data in the cloud, like files, images, and videos.
Describe an ‘Append blob’
Useful for logging scenarios, where the amount of data can increase as the logging operation continues.
What is the max size of a ‘Page blob’?
Can be up to 8TB in size
What is the default blob type for a new blob?
Block blob.
Define ‘AzCopy’
Cloud shell command that copies data to/from blob storage/containers/accounts.
Describe ‘Azure Data Box Disk ‘
A service for transferring large amounts of on-premises data to Blob Storage using Microsoft provided SSDs.
Describe ‘Azure Import/Export’
Export/import data by sending Microsoft hard drives with data and they will send them back.
Describe ‘Blob versioning’
Automatically maintain previous versions of an object; Access earlier versions of a blob to recover your data if it’s modified or deleted.
Between what two access tiers will data automatically change when it accessed/inaccessed?
Hot tier to cool tier.
What access control mechanisms are used to secure Azure Storage?
Microsoft Entra ID and role-based access control (RBAC)
How can data be secure in transit when using Azure storage?
By using Client-Side Encryption, HTTPS, or SMB 3.0.
How does Azure storage leverage zero trust?
Every request made against a secured resource must be authorized.
Describe a ‘shared access signature (SAS)’
A uniform resource identifier (URI) that grants restricted access rights to Azure Storage resources.
What is the purpose of implementing a shared access signature (SAS)?
A secure way to share storage resources with unauthorized users without compromising your account keys.
Can a shared access signature (SAS) be time based?
Yes; Specify the time interval for which a SAS is valid.
What are the two types of shared access signature (SAS)?
- Account-level
- Service-level
Describe an ‘Account-level’ shared access signature (SAS)
SAS delegates access to resources in one or more Azure Storage services.
Describe an ‘Service-level’ shared access signature (SAS)
Service-level SAS delegates access to a resource in only one Azure Storage service.
Can shared access signature (SAS) specify a range of IPs to accept shared access signature (SAS) from?
Yes.
What does a shared access signature (SAS) uniform resource identifier (URI) consist of?
The Azure Storage resource URI and the SAS token.
How is data encrypted/decrypted in Azure storage?
Encryption and decryption processes happen automatically.
How is data in Azure storage encrypted?
All data written to Azure Storage is encrypted through AES-265 encryption.
How can encryption keys be managed in Azure Storage?
Microsoft managed or customer (self) managed.
What service is used to manage and generate encryption keys?
Azure key vault.
What is the security risk of shared access signature (SAS)?
If a SAS is compromised, it can be used by anyone who obtains it, including a malicious user.
What is best practice for securing shared access signature (SAS)?
Always use HTTPS for creation and distribution.
Define a ‘stored access policy’
Revoke permissions without having to regenerate the Azure storage account keys by setting key expiration date.
How can clients ensure access to keys if the service providing shared access signature (SAS) is unavailable?
Require clients automatically renew the SAS.
What is best practice for configuring a shared access signature (SAS) start time?
Set the start time to at least 15 minutes in the past. Or, don’t set a specific start time, which causes the SAS to be valid immediately
How can the amount of data uploaded/downloaded using shared access signature (SAS) be restricted?
Near-term expiration times can limit the amount of data that can be written to a blob by limiting the time available to upload to it.
How does implementing a shared access signature (SAS) effect cost?
There are additional charges for upload/download ingress/egress.
What solution is the easiest way to implement secure storage for a company’s media files?
Create stored access policies for each container to enable revocation of access or change of duration.
How/Where are files accessed using Azure Files stored?
Allows you to cache several Azure Files shares on an on-premises Windows Server or cloud virtual machine.
How do VMs or other cloud services access data in Azure Files?
By mounting an Azure File share.
How many VMs or services can mount/access an Azure File share?
Unlimited simultaneous connections to on-prem or cloud.
What are the two supported protocols for mounting an Azure file share?
NFS and SMB.
Can the same file Azure file share use SMB and NFS at the same time?
No; One or the other.
What are the two types of Azure file shares?
- premium
- Standard
Describe a premium azure file share
Stores data on SSDs; can be used to APIs; can’t go back to standard tier.
Describe a standard azure file share
Stores data on HDDs; Can only use SMB and NFS.
What is a networking consideration when deploring an Azure SMB file share?
Open port 445.
What is the function of an Azure file snapshot?
Capture a point-in-time, read-only copy of your data.
Are snapshots incremental?
Yes.
Can a snapshot of an individual snapshot be taken?
Yes.
Define ‘soft delete for Server Message Block (SMB) file shares’
Lets you recover deleted files and file shares or ‘softly’ delete files.
How are files softly deleted with soft delete for Azure files?
A retention period is set and defines the amount of time that soft deleted files are stored and available for recovery.
What is the retention period range Azure allows for soft delete?
Between 1 and 365 days.
How is soft delete enabled?
Enabled at the storage account level; can be enabled on either new or existing file shares.
Define ‘Azure Storage Explorer’
Standalone GUI application for accessing multiple storage accounts and subscriptions, to manage Storage content.
What are the requirements to implement Azure Storage explorer?
Requires Azure Resource Manager and Role-based access control along with Azure AD (Entra ID).
Can an external storage account be connect to Azure Storage explorer?
Yes.
Define a storage access key
Access keys provide access to the entire storage account.
How many access/account keys are provided to the tenant when a storage account is created?
2
Describe ‘Azure File Sync’
Enables you to cache several Azure Files shares on an on-premises Windows Server or cloud virtual machine.
Define ‘Cloud tiering’
Optional feature of Azure File Sync; Frequently accessed files are cached locally on the server while all other files are tiered to Azure Files based on policy settings.
How is a file stored with Azure File Sync cloud tiering?
Initially stored on-prem, once inactivity policy is reached, File Sync replaces the file with a pointer URL (reparse point) to the file in Azure files.
How is a file accessed with cloud tiering?
Azure File Sync recalls the file data from Azure Files.
How are cloud tiered files represented?
Greyed icons with an offline O file attribute.
What are the best scenarios for Azure File Sync?
Migration; Support for Branch offices; Backup/recovery.
Define a ‘storage account’
An Azure resource; A Container that groups a set of Azure Storage services together.
What Azure storage services can be stored in a storage account?
Azure Blobs, Azure Files, Azure Queues, and Azure Tables.
What is the benefit of combining multiple azure storage services under a single storage account or resouce group?
Enables you to manage them as a group.
What is the affect of deleting a storage account?
Deletes all of the data stored inside it.
What Azure data services can’t be included in a storage account, and are managed independently by Azure?
Azure SQL and Azure Cosmos DB.
What are the two deployment models Azure offers for a storage acount?
Resource Manager and Classic.
What is the recommended deployment model for a storage account?
Resource manager.
When choosing a name for a storage account, what must be required?
The name must be globally unique.
What are two ways to limit public access to blob storage?
- Via the Storage Account
- Via the Container
What parameter is configured at the storage account level to allow public access?
Set the AllowBlobPublicAccess property to true or false.
What are the two ways public access is granted at the storage account level?
- Public read access for blobs
- public read access for a container and its blobs
In order to allow public access to blob storage, what two things must be configred?
- Storage account set to public access
- Container settings set to public access.
What are the 3 types of Shared access signatures (SASs)?
- User delegation SAS
- Service SAS
- Account SAS
How is ‘User delegation shared access signature (SAS)’ secured?
Secured with Microsoft Entra credentials; Can only be used for blob storage.
How is a ‘Service shared access signature (SAS)’ secured?
secured using a storage account key to only once of four Azure Storage services.
How is a ‘Account shared access signature (SAS)’ secured?
Secured with a storage account key; Can also control access to service-level operations.
How many shared access signatures (SASs) can a single stored access policy be associated with?
Up to five active SASs.
How is a shared access signature (SAS) encrypted?
The signature is signed with your storage account key when you create a service or account shared access signature or with a user delegation shared access signature in Entra ID.
What is the most secure implementation of shared access signature (SAS)?
User delegation via Entra ID.
What 4 Azure storage resources can a stored access policy be applied to?
- Blob containers
- File shares
- Queues
- Tables
What Azure storage resources/services can be accesses by Azure Storage explorer?
Blobs; Tables; Queues; Azure Files; Azure Data Lake.
What is the purpose of a local emulator?
Emulates storage resources to a local computer to reduce cost.
Describe the purpose/function of Azure Data Lake Storage
Used for storing and analyzing large data sets.
