Azure Storage offers three types of storage accounts:
- v2. blobs, files, queues, and tables. Recommended for most scenarios using Azure Storage.
- v1. Legacy account type for blobs, files, queues, and tables.
- Blob. Blob-only storage accounts. Use general-purpose v2 accounts instead when possible.
| type | services | tiers | access tiers | Replication | Deployment |
|---|---|---|---|---|---|
| GPv2 | Blob, File, Queue, Table, and Disk | Standard, Premium | Hot, Cool, Archive | LRS, ZRS4, GRS, RA-GRS | Resource Manager |
| GPv1 | Blob, File, Queue, Table, and Disk | Standard, Premium | N/A | LRS, GRS, RA-GRS | Resource Manager, Classic |
| Blob storage | Blob (block and append only) | Standard | Hot, Cool, Archive | LRS, GRS, RA-GRS | Resource Manager |
- All storage accounts are encrypted using Storage Service Encryption (SSE) for data at rest
- The Archive tier is available at level of an individual blob only, not at the storage account level. Only block blobs and append blobs can be archived. Hot, Cool, and Archive storage tiers
General-purpose storage account two performance tiers:
- Standard. magnetic drives (HDD), lowest cost per GB.
- Premium. solid state drives (SSD) and offer consistent low-latency performance.
NOT possible to convert a Standard to Premium or vice versa. Must create and copy data.
Can configure custom domain names accessing blob content instead of using the Azure URLs.
- Locally redundant storage (LRS)
- Zone-redundant storage (ZRS)
- Geo-redundant storage (GRS)
- Read-access geo-redundant storage (RA-GRS)
| Scenario | LRS | ZRS | GRS | RA-GRS |
|---|---|---|---|---|
| Node unavailability within a data center | ✔️ | ✔️ | ✔️ | ✔️ |
| An entire data center (zonal or non-zonal) unavailable | ✔️ | ✔️ | ✔️ | |
| A region-wide outage | ✔️ | ✔️ | ||
| Read access (in a remote, geo-replicated region) region-wide unavailability | ✔️ | |||
| durability (9's) | 11 | 12 | 16 | 16 |
| account types | GPv2, GPv1, Blob | GPv2 | GPv2, GPv1, Blob | GPv2, GPv1, Blob |
| read SLA | 99.9% | 99.9% | 99.9% | 99.99% |
| cool access tier read SLA | 99% | 99% | 99% | 99.9% |
| write SLA | 99.9% | 99.9% | 99.9% | 99.9% |
| cool access tier write SLA | 99% | 99% | 99% | 99% |
Can change replication strategy without down time.
A shared access signature (SAS) provides you with a way to grant limited access to objects in your storage account to other clients, without exposing your account key. A SAS gives you granular control including:
- The valid interval (start and expiry).
- The permissions granted.
- An optional IP address or range of IP addresses.
- The optional protocol.
Two typical design patterns:
- Clients upload and download data via a front-end proxy service.
- A lightweight service authenticates the client as needed and then generates a SAS.
Two types of shared access signatures:
- The service SAS delegates access to a resource in just one of the storage services: the Blob, Queue, Table, or File service.
- The account SAS delegates access to resources in one or more of the storage services.
Azure Storage Explorer allows;
- Access multiple accounts and subscriptions.
- Create, delete, view, and edit storage resources.
- View and edit Blob, Queue, Table, File, Cosmos DB storage and Data Lake Storage.
- Obtain shared access signature (SAS) keys.
- Available for Windows, Mac, and Linux.
LAB Use Azure Storage Explorer to create a blob in object storage
- Symetric. Same key used to encrypt and decrypt
- Asymetric. public / private keys where either can encrypt, but both are required to decrypt. Typically used for signing.
- Encryption at rest. data stored on physical medium
- Encryption in transist. data moving from one location to another.
Azure Storage Service Encryption uses auto encription before persisting to Azure Managed Disks, Azure Blob Sorage, Azure Files, Azure Queue Storage. Decryption is performed on retreive. Uses 256 bit AES encryption.
Azure Disk Encryption (ADE) used on Windows (BitLocker) and Linux (DM-Crypt).
Azure SQL Database Encryption at rest for Microsoft-managed server-side and client-side encryption scenarios. Support for server encryption is currently provided through the unified SQL feature called Transparent Data Encryption (TDE). Once an Azure SQL Database customer enables TDE, keys are automatically created and managed for them. Encryption at rest can be enabled at the database and server levels. TDE is enabled by default on newly created databases. Azure SQL Database also supports RSA 2048-bit customer-managed keys in Azure Key Vault.
Azure Cosmos DB Encryption stores its primary databases on solid-state drives (SSDs). Its media attachments and backups are stored in Azure Blob storage, which is generally backed up by hard disk drives (HDDs). Cosmos DB automatically encrypts all databases, media attachments and backups.
Trusted Execution Environment (TEE)
- Restricted. significant risk if exposed, altered, or deleted. Examples: credit card info, personal health records.
- Private. moderate risk if exposed, altered, or deleted. Examples: personal infor such as name / address / phone number.
- Public. no risk if exposed, altered, or deleted. Examples: product specifications, public notices.