Implement and manage storage in Azure

Question 1

Azure Storage

Answer 1

Azure Blobs,
Azure Files,
Azure Queues
Azure Tables

Question 2

What is a storage account?

Answer 2

A storage account is a container that groups a set of Azure Storage services together. Only data services from Azure Storage can be included in a storage account (Azure Blobs, Azure Files, Azure Queues, and Azure Tables)

Question 3

storage accounts expanded

Answer 3

A storage account is an Azure resource and is included in a resource group. The following illustration shows an Azure subscription containing multiple resource groups, where each group contains one or more storage accounts

Question 4

Storage account settings

Answer 4

A storage account defines a policy that applies to all the storage services in the account. For example, you could specify that all the contained services will be stored in the West US datacenter, accessible only over https, and billed to the sales department’s subscription

Question 5

The settings that are controlled by a storage account are

Answer 5

Subscription
Location

Performance
Standard allows you to have any data service (Blob, File, Queue, Table) and uses magnetic disk drives. Premium introduces additional services for storing data

Question 6

replication / storage

Answer 6

Determines the strategy used to make copies of your data to protect against hardware failure or natural disaster. At a minimum, Azure will automatically maintain three copies of your data within the data center associated with the storage account. This is called locally-redundant storage (LRS), and guards against hardware failure but does not protect you from an event that incapacitates the entire datacenter. You can upgrade to one of the other options such as geo-redundant storage (GRS) to get replication at different datacenters across the world

Question 7

Access tier

Answer 7

Controls how quickly you will be able to access the blobs in this storage account. Hot gives quicker access than Cool, but at increased cost. This applies only to blobs, and serves as the default value for new blobs

Question 8

Secure transfer required

Answer 8

A security feature that determines the supported protocols for access. Enabled requires HTTPs, while disabled allows HTTP

Question 9

Virtual networks

Answer 9

Virtual networks: A security feature that allows inbound access requests only from the virtual network(s) you specify

Question 10

grs vs lrs

Answer 10

Geo-redundant storage costs more than locally-redundant storage. Premium performance and the Hot access tier increase the cost of blobs

Question 11

Choose your account settings

Answer 11

The storage account settings we’ve already covered apply to the data services in the account. Here, we will discuss the three settings that apply to the account itself, rather than to the data stored in the account:

Question 12

Name

Answer 12

Each storage account has a name. The name must be globally unique within Azure, use only lowercase letters and digits and be between 3 and 24 characters.

Question 13

Deployment model

Answer 13

A deployment model is the system Azure uses to organize your resources. The model defines the API that you use to create, configure, and manage those resources. Azure provides two deployment models

Question 14

Deployment model c

Answer 14

Resource Manager: the current model that uses the Azure Resource Manager API
Classic: a legacy offering that uses the Azure Service Management API

Question 15

Account kind

Answer 15

StorageV2 (general purpose v2): the current offering that supports all storage types and all of the latest features
Recommended

Storage (general purpose v1): a legacy kind that supports all storage types but may not support all features

Blob storage: a legacy kind that allows only block blobs and append blobs

Question 16

gpv2 + resource manager

Answer 16

The core advice here is to choose the Resource Manager deployment model and the StorageV2 (general purpose v2) account kind for all your storage accounts. The other options still exist primarily to allow existing resources to continue operation. For new resources, there are few reasons to consider the other choices

Question 17

Disk roles

Answer 17

OS disk. One disk in each virtual machine contains the operating system files. When you create a virtual machine, you select a virtual machine image and that fixes the operating system and the OS disk that’s attached to the new machine. The OS disk has a maximum capacity of 2,048 GB

Question 18

Disk roles 2

Answer 18

Data disk. You can add one or more data virtual disks to each virtual machine to store data. For example, database files, website static content, or custom application code should be stored on data disks. The number of data disks you can add depends on the virtual machine size. Each data disk has a maximum capacity of 32,767 GB

Question 19

Disk roles 3

Answer 19

Temporary disk. Each virtual machine contains a single temporary disk, which is used for short-term storage applications such as page files and swap files. The contents of temporary disks are lost during maintenance events, so don’t use these disks for critical data. These disks are local to the server and aren’t stored in a storage account

Question 20

Ephemeral OS disks

Answer 20

An ephemeral OS disk is a virtual disk that saves data on the local virtual machine storage

An ephemeral disk has faster read-and-write latency than a managed disk. It’s also faster to reset the image to the original boot state if you’re using an ephemeral disk. However, an individual virtual machine failure might destroy all the data on an ephemeral disk and leave the virtual machine unable to boot. Because ephemeral disks reside locally to the host, they incur no storage costs and are free

Question 21

Managed disks

Answer 21

A managed disk is a virtual hard disk for which Azure manages all the required physical infrastructure. Because Azure takes care of the underlying complexity, managed disks are easy to use. You can just provision them and attach them to virtual machines

Question 22

Virtual hard

Answer 22

are stored as page blobs in an Azure Storage account, but you don’t have to create storage accounts, blob containers, and page blobs yourself or maintain this infrastructure later

Question 23

Benefits

Simple scalability

Answer 23

Simple scalability. You can create up to 50,000 managed disks of each type in each region in your subscription

Question 24

High availability

Answer 24

Managed disks support 99.999% availability by storing data three times. If there’s a failure in one replica, the other two can maintain full read-write functionality

Question 25

Integration with availability sets and zones

Answer 25

If you place your virtual machines into an availability set, Azure automatically distributes the managed disks for those machines into different fault domains so that your machines are resilient to localized failures. You can also use availability zones, which distribute data across multiple datacenters, for even greater availability

Question 26

Support for Azure Backup

Answer 26

Azure Backup natively supports managed disks, which includes encrypted disks

Question 27

Granular access control

Answer 27

You can use Azure role-based access control (RBAC) to grant access to specific user accounts for specific operations on a managed disk. For example, you could ensure that only an administrator can delete a disk

Question 28

Support for encryption

Answer 28

To protect sensitive data on a managed disk from unauthorized access, you can encrypt it by using Azure Storage Service Encryption (SSE), which is provided with Azure Storage accounts. Alternatively, you can use Azure Disk Encryption (ADE), which uses BitLocker for Windows virtual machines, and DM-Crypt for Linux virtual machines.

Question 29

Input/output operations per second (IOPS)

Answer 29

IOPS measure the rate at which the disk can complete a mix of read and write operations. Higher performance disks have higher IOPS values

Question 30

Throughput

Answer 30

Throughput measures the rate at which data can be moved onto the disk from the host computer and off the disk to the host computer. Throughput is also called data transfer rate and is measured in megabytes per second (MBps). Higher performance disks have higher throughput

Question 31

Ultra SSD

Answer 31

Ultra SSDs provide the highest disk performance available in Azure. Choose them when you need the fastest storage performance, which includes high throughput, high IOPS, and low latency.
Ultra disks can have capacities from 4 GB up to 64 TB

Question 32

Ultra SSD LIMITS

Answer 32

They’re only available in a subset of Azure regions.
They can only be attached to virtual machines that are in availability zones.
They can only be attached to ES/DS v3 virtual machines.
They can only be used as data disks and can only be created as empty disks.
They don’t support disk snapshots, virtual machine images, scale sets, Azure Disk Encryption, Azure Backup, or Azure Site Recovery

Question 33

Premium SSD

Answer 33

Premium SSDs are the next tier down from ultra disks in terms of performance, but they still provide high throughput and IOPS with low latency. Premium disks don’t have the current limitations of ultra disks. For example, they’re available in all regions and can be used with virtual machines that are outside of availability zones.

You can’t adjust performance without detaching these disks from their virtual machine. Also, you can only use premium SSDs with larger virtual machine sizes, which are compatible with premium storage.

Question 34

Standard SSD

Answer 34

Standard SSDs in Azure are a cost-effective storage option for virtual machines that need consistent performance at lower speeds. Standard SSDs aren’t as fast as premium or ultra SSDs, but they still have latencies in the range of 1 millisecond to 10 milliseconds and up to 6,000 IOPS. They’re available to attach to any virtual machine, no matter what size it is.

Question 35

Standard HDD

Answer 35

If you choose to use standard HDDs, data is stored on conventional magnetic disk drives with moving spindles. Disks are slower and speeds are more variable than for SSDs, but latencies are under 10 ms for write operations and 20 ms for reads. As for standard SSDs, you can use standard HDDs for any virtual machine.

Question 36

Locally redundant storage

Answer 36

Locally redundant storage (LRS) copies your data three times across separate racks of hardware in a datacenter, inside one region. Even if there’s a hardware failure, or if maintenance work is happening in the datacenter, this replication type ensures data is available for use.

LRS doesn’t protect you from a datacenter-wide outage. If the datacenter goes down, you could lose your data

Question 37

Geographically redundant storage

Answer 37

With geographically redundant storage (GRS), your data is copied three times within one region, and three times in a secondary region that’s paired with it. This way, if your primary region is experiencing an outage, your secondary region is available for use

Question 38

Read-access geo-redundant storage

Answer 38

With GRS, your secondary region isn’t available for read access until the primary region fails. If you want to read from the secondary region, even if the primary region hasn’t failed, use RA-GRS for your replication type.

Question 39

Zone-redundant storage

Answer 39

Zone-redundant storage (ZRS) copies your data in three storage clusters in a single region. Each cluster is in a different physical location and is considered as a single availability zone. Each cluster uses its own separate utilities for things like networking and power. If one datacenter is experiencing outage, your data remains accessible from another availability zone in the same Azure region

Because all availability zones are in a single region, ZRS can’t protect your data from a regional level outage

Question 40

Geo-zone-redundant storage

Answer 40

Geo-zone-redundant storage (GZRS) combines the high availability benefits of ZRS with GRS. With this replication type, your data is copied across three availability zones in one region. Data is also replicated three times to another secondary region that’s paired with it. This way, your zone-redundant data is also secure from regional level outage

Question 41

Read-access geo-zone-redundant storage

Answer 41

Read-access geo-zone-redundant storage (RA-GZRS) uses the same replication method as GZRS but lets you read from the secondary region. If you want to read the data that’s replicated to the secondary region, even if your primary isn’t experiencing downtime, use RA-GZRS for your replication type.

Question 42

Paired regions

Answer 42

A paired region is where an Azure region is paired with another in the same geographical location to protect against regional outage. Paired regions are used with GRS and GZRS replication types

Question 43

Live migration

Answer 43

you can also use live migration to migrate your data to an account that uses ZRS, GZRS, or RA-GZRS. Use live migration to avoid downtime or data loss. The duration of your live migration generally depends on the amount of data in your account

Question 44

Live migrations limitations

Answer 44

here are some limitations to live migration. For example:

Unlike a manual app, you won’t know exactly when a live migration will complete.
Data can only be migrated to the same region.
Live migration is only supported for data held in standard storage account types.
If your account contains a large file share, live migration to GZRS isn’t supported.

Question 45

How the failover process works

Answer 45

Azure Storage lets you fail over your storage account to a different region if the primary region becomes unavailable. When a failover is triggered and completed, your data is accessible from a secondary region. You use the secondary region until the primary region is up again

Question 46

Microsoft-managed failover

Answer 46

Failovers can be started by you or by Microsoft. The latter is called a Microsoft-managed failover. During the failover process, Azure Storage starts to point your users and clients to the secondary region instead of the primary region

Question 47

Failover is complete

Answer 47

When the failover process is complete, your storage account is updated to use locally redundant storage (LRS)

Question 48

Azure Service Health

Answer 48

We recommend you track the health status of Azure Storage and other Azure services by using Azure Service Health. You can subscribe to these updates with your applications and configure applications to handle or report issues to you

Question 49

Encryption at rest

Answer 49

All data written to Azure Storage is automatically encrypted by Storage Service Encryption (SSE) with a 256-bit Advanced Encryption Standard (AES) cipher

SSE automatically encrypts data when writing it to Azure Storage. When you read data from Azure Storage, Azure Storage decrypts the data before returning it. This process incurs no additional charges and doesn’t degrade performance. It can’t be disabled

Question 50

For Virtual Machines

Answer 50

Azure lets you encrypt virtual hard disks (VHDs) by using Azure Disk Encryption. This encryption uses BitLocker for Windows images, and it uses dm-crypt for Linux

Question 51

Azure Key Vault

Answer 51

Azure Key Vault stores the keys automatically to help you control and manage the disk-encryption keys and secrets. So even if someone gets access to the VHD image and downloads it, they can’t access the data on the VHD

Question 52

Encryption in transit

Answer 52

Keep your data secure by enabling transport-level security between Azure and the client. Always use HTTPS to secure communication over the public internet. When you call the REST APIs to access objects in storage accounts, you can enforce the use of HTTPS by requiring secure transfer for the storage account. After you enable secure transfer, connections that use HTTP will be refused. This flag will also enforce secure transfer over SMB by requiring SMB 3.0 for all file share mounts

Question 53

CORS support

Answer 53

CORS support is an optional flag you can enable on Storage accounts. The flag adds the appropriate headers when you use HTTP GET requests to retrieve resources from the Storage account

Question 54

Role-based access control

Answer 54

The service ensures that the client has the permissions required to access the data

Azure Storage supports Azure Active Directory and role-based access control (RBAC) for both resource management and data operations.

Question 55

Auditing access

Answer 55

Auditing is another part of controlling access. You can audit Azure Storage access by using the built-in Storage Analytics service

Storage Analytics logs every operation in real time, and you can search the Storage Analytics logs for specific requests. Filter based on the authentication mechanism, the success of the operation, or the resource that was accessed.

Question 56

Shared Key

Answer 56

For other storage models, clients can use a shared key, or shared secret. This authentication option is one of the easiest to use, and it supports blobs, files, queues, and tables

The client embeds the shared key in the HTTP Authorization header of every request, and the Storage account validates the key

Question 57

Storage account keys

Answer 57

In Azure Storage accounts, shared keys are called storage account keys

Azure creates two of these keys (primary and secondary) for each storage account you create. The keys give access to everything in the account

Question 58

using keys

Answer 58

After you refresh keys, any client that attempts to use the old key value will be refused. Make sure you identify all clients that use the shared key, and update them to keep them operational.

Question 59

untrusted clients

Answer 59

shared access signature (SAS). A shared access signature is a string that contains a security token that can be attached to a URI. Use a shared access signature to delegate access to storage objects and specify constraints, such as the permissions and the time range of access

Question 60

Types of shared access signatures

service-level

Answer 60

You can use a service-level shared access signature to allow access to specific resources in a storage account

Question 61

Types of shared access signatures

account-level

Answer 61

Use an account-level shared access signature to allow access to anything that a service-level shared access signature can allow, plus additional resources and abilities

Question 62

Control network access to your storage account

Answer 62

By default, storage accounts accept connections from clients on any network. To limit access to selected networks, you must first change the default action

Question 63

Network Rules

Answer 63

Changing network rules can affect your application’s ability to connect to Azure Storage

Question 64

Understand Advanced Threat Protection for Azure Storage

Answer 64

Advanced Threat Protection detects anomalies in account activity. It then notifies you of potentially harmful attempts to access your account. You don’t have to be a security expert or manage security monitoring systems to take advantage of this layer of threat protection

Question 65

Understand Advanced Threat Protection for Azure Storage 2

Answer 65

Currently, Advanced Threat Protection for Azure Storage is available for the Blob service. Security alerts are integrated with Azure Security Center. The alerts are sent by email to subscription admins

Question 66

Explore Azure Data Lake Storage security features

Answer 66

Azure Data Lake Storage Gen2 provides a first-class data lake solution that allows enterprises to pull together their data. It’s built on Azure Blob storage, so it inherits all of the security features we’ve reviewed in this module

Question 67

DATA LAKE STORAGE

Answer 67

Along with role-based access control (RBAC), Azure Data Lake Storage Gen2 provides access control lists (ACLs) that are POSIX-compliant and that restrict access to only authorized users, groups, or service principals. It applies restrictions in a way that’s flexible, fine-grained, and manageable. Azure Data Lake Storage Gen2 authenticates through Azure Active Directory OAuth 2.0 bearer tokens. This allows for flexible authentication schemes, including federation with Azure AD Connect and multifactor authentication that provides stronger protection than just passwords

Question 68

Azure file shares

Answer 68

You can think of Azure Files as a standard file share, hosted on Azure, that you can access with the industry standard SMB protocol. You can mount or connect to an Azure file share at the same time on all the main operating systems

Question 69

Choose your data access method

Answer 69

There are two built-in methods of data access supported by Azure Files. One method is direct access via a mounted drive in your operating system. The other method is to use a Windows server (either on-premises or in Azure) and install Azure File Sync to synchronize the files between local shares and Azure Files

Question 70

Choose your file redundancy option

Answer 70

Standard performance: Double-digit ms latency, 10,000 IOPS, 300-MBps bandwidth
Premium performance: Single-digit ms latency, 100,000 IOPS, 5-GBps bandwidth

Standard performance accounts use HDD to store data. With HDD, the costs are lower but so is the performance. SSD arrays back the premium storage account’s performance, which comes with higher costs. Currently, premium accounts can only use file storage accounts with ZRS storage in a limited number of regions.

Premium file storage accounts with ZRS are only supported in a smaller subset of regions.

Question 71

What is Storage Explorer?

Answer 71

Storage Explorer is a GUI application developed by Microsoft to simplify access to, and the management of, data stored in Azure storage accounts. Storage Explorer is available on Windows, macOS, and Linu

Question 72

Azure Storage types

Answer 72

Azure Blob Storage. Blob storage is used to store unstructured data as a binary large object (blob).
Azure Table Storage. Table storage is used to store NoSQL, semi-structured data.
Azure Queue Storage. Queue storage is used to store messages in a queue, which can then be accessed and processed by applications through HTTP(S) calls.
Azure Files. Azure Files is a file-sharing service that enables access through the Server Message Block protocol, similar to traditional file servers.
Azure Data Lake Storage. Azure Data Lake, based on Apache Hadoop, is designed for large data volumes and can store unstructured and structured data

Question 73

Use local emulators

Answer 73

Azure Storage Emulator uses a local instance of Microsoft SQL Server 2012 Express LocalDB. It emulates Azure Table, Queue, and Blob storage

Azurite, which is based on Node.js, is an open-source emulator that supports most Azure Storage commands through an API

Question 74

Connecting Storage Explorer to Azure

Answer 74

You need two permissions to access your Azure storage account: management and data. However, you can use Storage Explorer with only the data-layer permission. The data layer requires the user to be granted, at a minimum, a read data role

Question 75

Add an Azure account by using Azure AD

Answer 75

Use this connection type when the user can access the data layer. You can use it only to create an Azure Data Lake blob container or a standard blob container

Connecting to Azure Storage through Azure AD requires more configuration than the other methods. The account that you use to connect to Azure must have the correct permissions and authorization to access the target resources

Question 76

Connect by using a shared access signature URI

Answer 76

A shared access signature (SAS) URI is an unambiguous identifier that’s used to access your Azure Storage resources.

With this connection method, you’ll use a SAS URI for the required storage account. You’ll need a SAS URI whether you want to use a file share, table, queue, or blob container. You can get a SAS URI either from the Azure portal or from Storage Explorer

Question 77

Connect by using a storage account name and key

Answer 77

To connect to a storage account on Azure quickly, you use the account key that’s associated with the storage. To find the storage access keys from the Azure portal, go to the correct storage account page and select access keys

Question 78

Manage Azure Cosmos DB and Data Lake

Answer 78

You can use Storage Explorer to access and manage data stored in Azure Cosmos DB and Data Lake.

To connect to an Azure Cosmos DB service, you’ll need to use a connection string. You get a connection string by accessing the Azure Cosmos DB configuration through the Azure portal.

To connect to a Data Lake service, you’ll need the URI associated with the data lake. Using a URI allows you to access resources that aren’t in your subscription. When you have the URI of the resource that you want to access, you connect to it by using the Data Lake Storage Gen1 option.

Question 79

Azure Data Lake

Answer 79

Azure Data Lake is a service used for storing and analyzing large data sets. It supports large data workloads. It’s well suited to capture data of any type or size, and at any speed. Data Lake supports all the expected enterprise-grade capabilities like security, scalability, reliability, manageability, and availability

Question 80

What is Azure Import/Export?

Answer 80

Azure Import/Export provides a way for organizations to export data from Azure Storage to an on-premises location. The service offers a secure, reliable, and cost-effective method to export large amounts of data

Question 81

What is Azure Import/Export? 2

Answer 81

You can also use Azure Import/Export to import data to Azure Storage from an on-premises location. However, we recommend that you use an Azure Data Box device when you’re in a region where the Azure Data Box family is supported. Importing data by using one of the products in the Azure Data Box family is easier than using Azure Import/Export

Question 82

The Azure Import/Export service

Answer 82

Azure Import/Export is an Azure service that’s used to migrate large quantities of data between an on-premises location and an Azure Storage account. By using the service, you send and receive physical disks that contain your data between your on-premises location and an Azure datacenter. You ship data that’s stored on your own disk drives. These disk drives can be Serial ATA (SATA) hard-disk drives (HDDs) or solid-state drives (SSDs)

Question 83

The Azure Import/Export service

Answer 83

The Azure Import/Export service is ideally suited to situations where you must upload or download large amounts of data, but your network backbone doesn’t have sufficient capacity or reliability to support large-scale transfers. You typically use this service to:

Migrate large amounts of data from on-premises to Azure, as a one-time task
Back up your data on-premises in Azure Storage
Recover large amounts of data that you previously stored in Azure Storage
Distribute data from Azure Storage to customer sites

Question 84

Security considerations

Answer 84

For export jobs, the Import/Export Service uses BitLocker to encrypt the drive before it’s shipped back to you. Microsoft provides you with the encryption key

For import jobs, all data must be encrypted through BitLocker before you send the disks to Microsoft. This encryption helps protect your data. No one can read the data on the disk drives without providing the encryption key. You can encrypt disks by using the WAImportExport tool. Or, you can manually enable BitLocker on the drive and provide the encryption key to the WAImportExport tool

Question 85

How Azure Import/Export works

Answer 85

To use Azure Import/Export, you create a job that specifies the data that you want to import or export. You then prepare the disks to use to transfer the data. For an import job, you write your data to these disks and ship them to an Azure datacenter

Microsoft uploads the data for you. For an export job, you prepare a set of blank disks and ship them to an Azure datacenter. Microsoft copies the data to these disks and ships them back to you

Question 86

Export data from Azure

Answer 86

You can use the Import/Export service to export data from Azure Blob storage only. You can’t export data that’s stored in Azure Files

Question 87

Export data from Azure 2

Answer 87

An active Azure subscription and an Azure Storage account holding your data in Azure Blob storage
A system running a supported version of Windows
BitLocker enabled on the Windows system
WAImportExport version 1 downloaded and installed from the Microsoft Download Center
An active account with a shipping carrier like FedEX or DHL for shipping drives to an Azure datacenter
A set of disks that you can send to an Azure datacenter on which to copy the data from Azure Storage

Question 88

Import data to Azure

Answer 88

An active Azure subscription.
Minimum of one Azure Storage account.
A system running a supported version of Windows.
BitLocker enabled on the Windows system.
The correct version of the WAImportExport tool. Install version 1 to import data to Azure Blob storage or version 2 to import to Azure Files. Download this tool from the Microsoft Download Center.
An active shipping carrier account like FedEX or DHL for shipping drives to an Azure datacenter.

Question 89

Offline transfer of massive data

Answer 89

The Import/Export service is an offline solution. It’s designed to handle more data than would be feasible to transmit over a network connection. Using the Import/Export service, you take responsibility for preparing and shipping the necessary hardware.

Question 90

Azure Data Box family

Answer 90

A Data Box device is a proprietary, tamper-proof network appliance. You connect the device to your own internal network to move data to the device. You ship the device back to Microsoft, which then uploads data from the device into Azure Storage

Question 91

Online transfer of massive data

Answer 91

The Import/Export service doesn’t provide an online option. If you need an online method to transfer massive amounts of data, you can use Azure Data Box Edge or Azure Data Box Gateway. Data Box Edge is a physical network appliance that you install on-premises. The device connects to your storage account in the cloud. Data Box Gateway is a virtual network appliance. Both of these products support data transfer from an on-premises location to Azure.

Question 92

AzCopy

Answer 92

AzCopy is a simple but powerful command-line tool that lets you copy files to or from Azure Storage accounts. With AZCopy you can:

Upload, download, and copy files to Azure Blob storage
Upload, download, and copy files to Azure Files
Copy files between storage accounts
Copy files between storage accounts from different regions

Question 93

Azure Storage Explorer

Answer 93

Azure Storage Explorer is a free tool that you can use to connect to Azure Storage and view data through a graphical user interface. You can upload and download data held in blobs, files, and tables. You can also examine queues and manipulate queued messages. Storage Explorer is an interactive tool. It isn’t suitable for moving more than the smallest amounts of data, and it can’t be easily scripted.