CONTENT
Creating an Azure Storage Account
Learn how to create and configure an Azure Storage account, covering redundancy options, advanced settings, networking, and encryption.
Saartje Ly
Data Engineering Intern
August 21, 2024
Introduction
Azure Storage or Storage Accounts is a service from Azure, which provides storage service for various use cases. Azure Storage is the cloud storage solution for modern applications that rely on durability, availability, and scalability to meet the needs of their customers.
Head to Azure so we can get started on this lesson.
Once you're in Azure, you'll want to click on the Storage accounts button.
Up the top left, click on create.
Basics
Choose your subscription and resource group, then enter a unique name. After that, choose the right Region for you, and primary service.
For redundancy, you have some options.
1. Locally-redundant storage (LRS): provides a basic level of redundancy at a lower cost, making it a popular choice for scenarios where data protection within a single region is sufficient.
2. Geo-redundant storage (GRS): designed to protect your data against both local hardware failures and entire data center failures.
3. Zone-redundant storage (ZRS): replicates your data across multiple physical locations, within a single region. Designed to protect against the loss of an entire data center within a region.
4. Geo-zone-redundant storage (GZRS): combines the benefits of both GRS and ZRS by replicating your data across multiple availability zones within a primary region and then replicating it to a secondary, geographically distant region.
Advanced
Require secure transfer for REST API operations:
The secure transfer option enhances the security of your storage account by only allowing REST API operations on the storage account using HTTPs. Any requests using HTTP will be rejected when this setting is enabled. When you are using the Azure file service, connections without encryption will fail, including scenarios using NFS v4.1, SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn’t support HTTPs for custom domain names, this option is not applied when using a custom domain name. Connections via NFSv3 for blobs over TCP will succeed but will not be secured.
Allow enabling anonymous access on individual containers:
Blob containers, by default, do not permit anonymous access to their content. This setting allows authorized users to selectively enable anonymous access on specific containers. You can use Azure policy to audit this setting or prevent this setting from being enabled.
Enable storage account key access:
When storage account key access is disabled, any requests to the account that are authorized with Shared Key, including shared access signatures (SAS), will be denied. Client applications that currently access the storage account using shared key will no longer work.
Default to Microsoft Entra authorization in the Azure portal:
When this property is enabled, the Azure portal authorizes requests to blobs, files, queues, and tables with Microsoft Entra ID by default.
Minimum TLS version: Click here for more information on TLS versions.
Permitted scope for copy operations (preview):
Restrict copy operations from source storage accounts that are within the same Microsoft Entra tenant or that have a private link to the same virtual network as this storage account.
Enable hierarchical namespace:
Hierarchical namespace, complemented by Data Lake Storage Gen2 endpoint, enables file and directory semantics, accelerates big data analytics workloads, and enables access control lists (ACLs).
Enable SFTP:
Enables the SSH File Transfer Protocol for your storage account that allows users to access blobs via an SFTP endpoint. Local users need to be created before the SFTP endpoint can be accessed.
Enable network file system v3:
Enables the Network File System Protocol for your storage account that allows users to share files across a network. This option must be set during storage account creation.
Allow cross-tenant replication:
Allow object replication to copy blobs to a destination account on a different Microsoft Entra tenant. Not enabling cross-tenant replication will limit object replication within the same Microsoft Entra tenant.
Access tier:
The account access tier is the default tier that is inferred by any blob without an explicitly set tier. The hot access tier is ideal for frequently accessed data, the cool access tier is ideal for infrequently accessed data, and the cold access tier is ideal for rarely accessed data. The archive access tier can only be set at the blob level and not on the account.
Networking
Choose your network access, then create a private endpoint if needed.
Routing preference: Microsoft network routing will direct your traffic to enter the Microsoft cloud as quickly as possible from its source. Internet routing will direct your traffic to enter the Microsoft cloud closer to the Azure endpoint.
Data protection
Tick/untick the boxes as required, all have explanations below their titles.
Encryption
Encryption type:
Your data is encrypted by default using Microsoft-managed keys. For additional control over your data, encrypt using customer-managed keys via the Azure Key Vault.
Enable support for customer-managed keys:
Customer-managed key (CMK) support can be limited to blob service and file service only, or to all service types. After the storage account is created, this support cannot be changed.
Enable infrastructure encryption: By default, Azure encrypts storage account data at rest. Infrastructure encryption adds a second layer of encryption to your storage account’s data.
Tags
Add metadata to your Azure resources in the form of key-value pairs. These tags allow you to organize and manage your Azure resources more effectively by allowing you to categorize resources based on criteria that make sense for your organization.
Tags help you categorize and organize your resources logically. For example, you might tag all resources associated with a particular project with a ProjectName tag, making it much easier to filter and manage those resources later.
You can also tag resources with cost center identifiers, which allow you to generate reports and allocate costs to the correct departments or projects.
Finally, tags can be used to automate tasks or enforce governance policies. For instance, you might have a policy that all resources must include a Compliance tag to make sure they meet regulatory requirements.
Introduction
Azure Storage or Storage Accounts is a service from Azure, which provides storage service for various use cases. Azure Storage is the cloud storage solution for modern applications that rely on durability, availability, and scalability to meet the needs of their customers.
Head to Azure so we can get started on this lesson.
Once you're in Azure, you'll want to click on the Storage accounts button.
Up the top left, click on create.
Basics
Choose your subscription and resource group, then enter a unique name. After that, choose the right Region for you, and primary service.
For redundancy, you have some options.
1. Locally-redundant storage (LRS): provides a basic level of redundancy at a lower cost, making it a popular choice for scenarios where data protection within a single region is sufficient.
2. Geo-redundant storage (GRS): designed to protect your data against both local hardware failures and entire data center failures.
3. Zone-redundant storage (ZRS): replicates your data across multiple physical locations, within a single region. Designed to protect against the loss of an entire data center within a region.
4. Geo-zone-redundant storage (GZRS): combines the benefits of both GRS and ZRS by replicating your data across multiple availability zones within a primary region and then replicating it to a secondary, geographically distant region.
Advanced
Require secure transfer for REST API operations:
The secure transfer option enhances the security of your storage account by only allowing REST API operations on the storage account using HTTPs. Any requests using HTTP will be rejected when this setting is enabled. When you are using the Azure file service, connections without encryption will fail, including scenarios using NFS v4.1, SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn’t support HTTPs for custom domain names, this option is not applied when using a custom domain name. Connections via NFSv3 for blobs over TCP will succeed but will not be secured.
Allow enabling anonymous access on individual containers:
Blob containers, by default, do not permit anonymous access to their content. This setting allows authorized users to selectively enable anonymous access on specific containers. You can use Azure policy to audit this setting or prevent this setting from being enabled.
Enable storage account key access:
When storage account key access is disabled, any requests to the account that are authorized with Shared Key, including shared access signatures (SAS), will be denied. Client applications that currently access the storage account using shared key will no longer work.
Default to Microsoft Entra authorization in the Azure portal:
When this property is enabled, the Azure portal authorizes requests to blobs, files, queues, and tables with Microsoft Entra ID by default.
Minimum TLS version: Click here for more information on TLS versions.
Permitted scope for copy operations (preview):
Restrict copy operations from source storage accounts that are within the same Microsoft Entra tenant or that have a private link to the same virtual network as this storage account.
Enable hierarchical namespace:
Hierarchical namespace, complemented by Data Lake Storage Gen2 endpoint, enables file and directory semantics, accelerates big data analytics workloads, and enables access control lists (ACLs).
Enable SFTP:
Enables the SSH File Transfer Protocol for your storage account that allows users to access blobs via an SFTP endpoint. Local users need to be created before the SFTP endpoint can be accessed.
Enable network file system v3:
Enables the Network File System Protocol for your storage account that allows users to share files across a network. This option must be set during storage account creation.
Allow cross-tenant replication:
Allow object replication to copy blobs to a destination account on a different Microsoft Entra tenant. Not enabling cross-tenant replication will limit object replication within the same Microsoft Entra tenant.
Access tier:
The account access tier is the default tier that is inferred by any blob without an explicitly set tier. The hot access tier is ideal for frequently accessed data, the cool access tier is ideal for infrequently accessed data, and the cold access tier is ideal for rarely accessed data. The archive access tier can only be set at the blob level and not on the account.
Networking
Choose your network access, then create a private endpoint if needed.
Routing preference: Microsoft network routing will direct your traffic to enter the Microsoft cloud as quickly as possible from its source. Internet routing will direct your traffic to enter the Microsoft cloud closer to the Azure endpoint.
Data protection
Tick/untick the boxes as required, all have explanations below their titles.
Encryption
Encryption type:
Your data is encrypted by default using Microsoft-managed keys. For additional control over your data, encrypt using customer-managed keys via the Azure Key Vault.
Enable support for customer-managed keys:
Customer-managed key (CMK) support can be limited to blob service and file service only, or to all service types. After the storage account is created, this support cannot be changed.
Enable infrastructure encryption: By default, Azure encrypts storage account data at rest. Infrastructure encryption adds a second layer of encryption to your storage account’s data.
Tags
Add metadata to your Azure resources in the form of key-value pairs. These tags allow you to organize and manage your Azure resources more effectively by allowing you to categorize resources based on criteria that make sense for your organization.
Tags help you categorize and organize your resources logically. For example, you might tag all resources associated with a particular project with a ProjectName tag, making it much easier to filter and manage those resources later.
You can also tag resources with cost center identifiers, which allow you to generate reports and allocate costs to the correct departments or projects.
Finally, tags can be used to automate tasks or enforce governance policies. For instance, you might have a policy that all resources must include a Compliance tag to make sure they meet regulatory requirements.
Introduction
Azure Storage or Storage Accounts is a service from Azure, which provides storage service for various use cases. Azure Storage is the cloud storage solution for modern applications that rely on durability, availability, and scalability to meet the needs of their customers.
Head to Azure so we can get started on this lesson.
Once you're in Azure, you'll want to click on the Storage accounts button.
Up the top left, click on create.
Basics
Choose your subscription and resource group, then enter a unique name. After that, choose the right Region for you, and primary service.
For redundancy, you have some options.
1. Locally-redundant storage (LRS): provides a basic level of redundancy at a lower cost, making it a popular choice for scenarios where data protection within a single region is sufficient.
2. Geo-redundant storage (GRS): designed to protect your data against both local hardware failures and entire data center failures.
3. Zone-redundant storage (ZRS): replicates your data across multiple physical locations, within a single region. Designed to protect against the loss of an entire data center within a region.
4. Geo-zone-redundant storage (GZRS): combines the benefits of both GRS and ZRS by replicating your data across multiple availability zones within a primary region and then replicating it to a secondary, geographically distant region.
Advanced
Require secure transfer for REST API operations:
The secure transfer option enhances the security of your storage account by only allowing REST API operations on the storage account using HTTPs. Any requests using HTTP will be rejected when this setting is enabled. When you are using the Azure file service, connections without encryption will fail, including scenarios using NFS v4.1, SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn’t support HTTPs for custom domain names, this option is not applied when using a custom domain name. Connections via NFSv3 for blobs over TCP will succeed but will not be secured.
Allow enabling anonymous access on individual containers:
Blob containers, by default, do not permit anonymous access to their content. This setting allows authorized users to selectively enable anonymous access on specific containers. You can use Azure policy to audit this setting or prevent this setting from being enabled.
Enable storage account key access:
When storage account key access is disabled, any requests to the account that are authorized with Shared Key, including shared access signatures (SAS), will be denied. Client applications that currently access the storage account using shared key will no longer work.
Default to Microsoft Entra authorization in the Azure portal:
When this property is enabled, the Azure portal authorizes requests to blobs, files, queues, and tables with Microsoft Entra ID by default.
Minimum TLS version: Click here for more information on TLS versions.
Permitted scope for copy operations (preview):
Restrict copy operations from source storage accounts that are within the same Microsoft Entra tenant or that have a private link to the same virtual network as this storage account.
Enable hierarchical namespace:
Hierarchical namespace, complemented by Data Lake Storage Gen2 endpoint, enables file and directory semantics, accelerates big data analytics workloads, and enables access control lists (ACLs).
Enable SFTP:
Enables the SSH File Transfer Protocol for your storage account that allows users to access blobs via an SFTP endpoint. Local users need to be created before the SFTP endpoint can be accessed.
Enable network file system v3:
Enables the Network File System Protocol for your storage account that allows users to share files across a network. This option must be set during storage account creation.
Allow cross-tenant replication:
Allow object replication to copy blobs to a destination account on a different Microsoft Entra tenant. Not enabling cross-tenant replication will limit object replication within the same Microsoft Entra tenant.
Access tier:
The account access tier is the default tier that is inferred by any blob without an explicitly set tier. The hot access tier is ideal for frequently accessed data, the cool access tier is ideal for infrequently accessed data, and the cold access tier is ideal for rarely accessed data. The archive access tier can only be set at the blob level and not on the account.
Networking
Choose your network access, then create a private endpoint if needed.
Routing preference: Microsoft network routing will direct your traffic to enter the Microsoft cloud as quickly as possible from its source. Internet routing will direct your traffic to enter the Microsoft cloud closer to the Azure endpoint.
Data protection
Tick/untick the boxes as required, all have explanations below their titles.
Encryption
Encryption type:
Your data is encrypted by default using Microsoft-managed keys. For additional control over your data, encrypt using customer-managed keys via the Azure Key Vault.
Enable support for customer-managed keys:
Customer-managed key (CMK) support can be limited to blob service and file service only, or to all service types. After the storage account is created, this support cannot be changed.
Enable infrastructure encryption: By default, Azure encrypts storage account data at rest. Infrastructure encryption adds a second layer of encryption to your storage account’s data.
Tags
Add metadata to your Azure resources in the form of key-value pairs. These tags allow you to organize and manage your Azure resources more effectively by allowing you to categorize resources based on criteria that make sense for your organization.
Tags help you categorize and organize your resources logically. For example, you might tag all resources associated with a particular project with a ProjectName tag, making it much easier to filter and manage those resources later.
You can also tag resources with cost center identifiers, which allow you to generate reports and allocate costs to the correct departments or projects.
Finally, tags can be used to automate tasks or enforce governance policies. For instance, you might have a policy that all resources must include a Compliance tag to make sure they meet regulatory requirements.
CONTENT
SHARE