AZ-104

Azure Administrator

Instructor: Sharif Khairy 2

 AZ-104
Azure Administrator

Module 07 – Azure Storage

Instructor: Sharif Khairy

 AZ-900

Contents
Module 07 – Azure Storage
In this module, you will learn about basic storage features including storage
accounts, blob storage, Azure files and File Sync, storage security, and storage
tools.

Instructor: Sharif Khairy 4

AZ-900

Contents
Module 07 – Azure Storage
This module includes:
● Storage Accounts
● Blob Storage
● Storage Security
● Azure Files and File Sync
● Managing Storage
● Lab 07 - Manage Azure storage

Instructor: Sharif Khairy 5

 AZ-900

Storage Technologies Overview

What is Storage?
Computer data storage or digital data
storage is a technology consisting of
computer components and recording
media that are used to retain digital data.

Module 7 Azure Storage 6

 AZ-900

Storage Technologies Overview

HDD (Hard Disk Drive)
SSD (Solid State Drive)
NAS (Network Attached Storage)
DAS (Direct Attached Storage)
SAN ( Storage Area Network)

Module 7 Azure Storage 7

 AZ-900

Storage Accounts
Azure Storage is Microsoft's cloud storage solution
for modern data storage scenarios.
Azure Storage offers a massively scalable object
store for data objects, a file system service for the
cloud, a messaging store for reliable messaging,
and a NoSQL store.

Module 7 Azure Storage 8

 AZ-900

Azure Storage
Azure Storage is:
● Durable and highly available.
● Secure.
● Scalable.
● Managed. Microsoft Azure handles hardware maintenance, updates, and
critical issues for you.
● Accessible. from anywhere in the world over HTTP or HTTPS.

Module 7 Azure Storage 9

 AZ-900

Azure Storage
Azure storage is used by IaaS virtual machines.
Also used by PaaS cloud services.

Module 7 Azure Storage 10

 AZ-900

Azure Storage
Azure storage in three categories.
● Storage for Virtual Machines. This includes disks and files.
● Unstructured Data. This includes Blobs and Data Lake Store.
● Structured Data. This includes Tables, Cosmos DB, and Azure SQL DB.

Module 7 Azure Storage 11

 AZ-900

Storage Accounts tiers

Storage accounts have two tiers: Standard and Premium
● Standard: are (HDD) drives and provide the lowest cost per GB.
Best for applications or where data is accessed infrequently.
● Premium: are (SSD) drives and offer consistent low-latency performance.
They can only be used with Azure virtual machine disks and are best databases.

Module 7 Azure Storage 12

 AZ-900

Azure Storage Services

Azure Storage data services are accessed through a storage account.
● Azure Containers (Blobs): A massively scalable object store for text and binary
data.
● Azure Files: Managed file shares for cloud or on-premises deployments.
● Azure Queues: A messaging store for reliable messaging between application
components.
● Azure Tables: A NoSQL store for schemaless storage of structured data.

Module 7 Azure Storage 13

 AZ-900

Storage Account Kinds

Azure Storage offers several types of storage accounts.
Each type supports different features and has its own pricing model.

Module 7 Azure Storage 14

 AZ-900

Storage Account Kinds

The types of storage accounts are:

Module 7 Azure Storage 15

 AZ-900

Storage Account Kinds

Block blob storage accounts (BlockBlobStorage). Blob-only storage
accounts with premium performance characteristics.
Recommended for scenarios with high transactions rates, using smaller
objects, or requiring consistently low storage latency.
FileStorage storage accounts (FileStorage). Files-only storage accounts with
premium performance characteristics.
Recommended for enterprise or high performance scale applications.
Blob storage accounts (BlobStorage). Blob-only storage accounts.
Use general-purpose v2 accounts instead when possible.

Module 7 Azure Storage 16

 AZ-900

Storage Account Kinds

All storage accounts are encrypted using Storage Service Encryption (SSE) for
data at rest.

Module 7 Azure Storage 17

 AZ-900

Replication Strategies
The data in your Azure storage account is always replicated to ensure durability
and high availability.
You can choose to replicate your data within the same data center, across zonal
data centers within the same region, and even across regions.
Replication ensures that your storage account meets the Service-Level
Agreement (SLA) for Storage even in the face of failures.

Module 7 Azure Storage 18

 AZ-900

Comparison of replication options

The following table provides a quick overview of the scope of durability and availability

Module 7 Azure Storage 19

 AZ-900

Comparison of replication options

The following table provides a quick overview of the scope of durability and availability

Module 7 Azure Storage 20

 AZ-900

Accessing Storage
Every object that you store in Azure Storage has a unique URL address.
● Container service: http://mystorageaccount.blob.core.windows.net
● Table service: http://mystorageaccount.table.core.windows.net
● Queue service: http://mystorageaccount.queue.core.windows.net
● File service: http://mystorageaccount.file.core.windows.net

Module 7 Azure Storage 21

 AZ-900

Configuring a Custom Domain

You can configure a custom domain for accessing blob data in your Azure storage
account.
default endpoint for Azure Blob storage is
<storage-account-name>.blob.core.windows.net.

Module 7 Azure Storage 22

 AZ-900

Securing Storage Endpoints

For accessing a storage account, you would use the Firewalls and virtual
networks blade to add the virtual networks that will have access.
Notice you can also configure to allow access to one or more public IP ranges.

Module 7 Azure Storage 23

 AZ-900

Demonstration - Securing Storage Endpoints

Create a storage account in the portal
Create a subnet service endpoint

Module 7 Azure Storage 24

 AZ-900

Blob Storage
Azure Blob storage is a service that stores unstructured
data in the cloud.
Blob storage can store any type of text or binary data,
such as a document, media file, or application installer.

Module 7 Azure Storage 25

 AZ-900

Common uses of Blob storage include:

● Serving images or documents directly to a browser.
● Storing files for distributed access, such as installation.
● Streaming video and audio.
● Storing data for backup and restore, disaster recovery, and archiving.
● Storing data for analysis by an on-premises or Azure-hosted service.

Module 7 Azure Storage 26

 AZ-900

Blob service resources

Blob storage offers three types of resources:
● The storage account
● Containers in the storage account
● Blobs in a container
Diagram shows the relationship between these resources.

Module 7 Azure Storage 27

 AZ-900

Blob Containers
An account can contain an unlimited number of containers.
A container can store an unlimited number of blobs.
Public access level: Specifies whether data in the container may be accessed
publicly.

Module 7 Azure Storage 28

 AZ-900

Blob Access Tiers

Azure Storage provides different options for accessing block blob data.
Hot. The Hot tier is optimized for frequent access of objects in the storage account.
New storage accounts are created in the Hot tier by default.
Cool. The Cool tier is optimized for storing large amounts of data that is
infrequently accessed and stored for at least 30 days.
Archive. Archive tier for at least 180 days.

Module 7 Azure Storage 29

 AZ-900

Uploading Blobs
Azure Storage offers three types of blobs:
Block blobs
Page blobs
Append blobs

Module 7 Azure Storage 30

 AZ-900

Demonstration - Blob Storage

In this demonstration, you will explore blob storage.
Note: This demonstration requires a storage account.
Create a container
Upload a block blob
Download a block blob

Module 7 Azure Storage 31

 AZ-900

Storage Security
Azure Storage provides a comprehensive set of security capabilities.
Encryption. All data written to Azure Storage is automatically encrypted using
Storage Service Encryption (SSE).
Authentication. Azure Active Directory (Azure AD) and Role-Based Access
Control (RBAC) are supported for Azure Storage.
Data in transit. Data can be secured in transit between an application and
Azure by using Client-Side Encryption, HTTPS, or SMB 3.0.

Module 7 Azure Storage 32

 AZ-900

Storage Security
Disk encryption. OS and data disks used by Azure virtual machines can be
encrypted using Azure Disk Encryption.
Shared Access Signatures. Delegated access to the data objects in Azure Storage
can be granted using Shared Access Signatures.

Module 7 Azure Storage 33

 AZ-900

Authorization options
Authorization ensures that resources in your storage account are accessible
only when you want them to be, and only to those users or applications to
whom you grant access.

Module 7 Azure Storage 34

 AZ-900

Authorization options
Options for authorizing requests to Azure Storage include:
Azure Active Directory (Azure AD). you can assign fine-grained access to users,
groups, or applications via role-based access control (RBAC).
Shared Key.
Shared access signatures. (SAS) delegate access to a particular resource in your
account with specified permissions and over a specified time interval.
Anonymous access to containers and blobs. You can optionally make blob
resources public at the container or blob level.
Read requests to public containers and blobs do not require authorization.

Module 7 Azure Storage 35

 AZ-900

Storage Service Encryption

Azure Storage Service Encryption (SSE) protect your data.
Azure storage platform automatically encrypts your data before persisting it to
Azure Managed Disks, Azure Blob, Queue, Table storage, or Azure Files, and
decrypts the data before retrieval.
Azure storage platform is encrypted through 256-bit AES encryption, one of the
strongest block ciphers available.

Module 7 Azure Storage 36

 AZ-900

Storage Service Encryption

SSE is enabled for all new and existing storage accounts and cannot be
disabled.
Because your data is secured by default, you don't need to modify your code or
applications.

Module 7 Azure Storage 37

 AZ-900

Customer Managed keys

If you prefer, you can use the Azure Key Vault to manage your encryption keys.
With the Key Vault you can create your own encryption keys and store them in
a key vault, or you can use Azure Key Vault's APIs to generate encryption keys.

Module 7 Azure Storage 38

 AZ-900

Customer Managed keys

Using custom keys give you more flexibility and control when creating,
disabling, auditing, rotating, and defining access controls.
The storage account and the key vault must be in the same region, but they
can be in different subscriptions.

Module 7 Azure Storage 39

 AZ-900

Azure Files and File Sync

File storage offers shared storage for applications using the industry
standard SMB protocol.
Microsoft Azure virtual machines and cloud services can share file data
across application components via mounted shares, and on-premises
applications can also access file data in the share.

Module 7 Azure Storage 40

 AZ-900

Common uses of file storage

Replace and supplement. Azure Files can be used to completely replace or
supplement traditional on-premises file servers or NAS devices.
Access anywhere. Popular operating systems such as Windows, macOS, and
Linux can directly mount Azure File shares wherever they are in the world.
Lift and shift. Azure Files makes it easy to “lift and shift” applications to the
cloud that expect a file share to store file application or user data.

Module 7 Azure Storage 41

 AZ-900

Common uses of file storage

Azure File Sync. Azure File shares can also be replicated with Azure File Sync to
Windows Servers, either on-premises or in the cloud, for performance and
distributed caching of the data where it's being used.
Shared applications. Storing shared application settings, for example in
configuration files.
Diagnostic data. Storing diagnostic data such as logs, metrics, and crash
dumps in a shared location.
Tools and utilities. Storing tools and utilities needed for developing or
administering Azure virtual machines or cloud services.

Module 7 Azure Storage 42

 AZ-900

Comparing Files and Blobs

Sometimes it is difficult to decide when to use file shares instead of blobs or disk
shares. Take a minute to review this table that compares the different features.

Module 7 Azure Storage 43

 AZ-900

Comparing Files and Blobs

Module 7 Azure Storage 44

 AZ-900

Managing File Shares

To access your files, you will need a storage account.
Once that is in place, provide the file share Name and the Quota.
Quota refers to total size of files on the share.

Module 7 Azure Storage 45

 AZ-900

Mapping File Shares (Windows)

You can connect to your Azure file share with
Windows or Windows Server.
All of this information is available by selecting
Connect from your file share page.

Module 7 Azure Storage 46

 AZ-900

Mapping File Shares (Windows)

Ensure port 445 is open.
Azure Files uses SMB protocol.
SMB communicates over TCP port 445 - ensure your firewall is not blocking TCP
ports 445 from the client machine.

Module 7 Azure Storage 47

 AZ-900

Secure Transfer Required

The secure transfer option enhances the security of your storage account by only
allowing requests to the storage account by secure connection.
For example, when calling REST APIs to access your storage accounts, you must
connect using HTTPs.
Any requests using HTTP will be rejected when Secure transfer required is enabled.

Module 7 Azure Storage 48

 AZ-900

Secure Transfer Required

Because Azure storage doesn’t support HTTPs for custom domain names, this
option is not applied using a custom domain name.

Module 7 Azure Storage 49

 AZ-900

File Share Snapshots

Azure Files provides the capability to take share snapshots of file shares.
You cannot delete a share that has share snapshots unless you delete all the share
snapshots first.

Module 7 Azure Storage 50

 AZ-900

When to use share snapshots

Protection against application error and data corruption.
Protection against accidental deletions or unintended changes.
General backup purposes.

Module 7 Azure Storage 51

 AZ-900

Demonstration - File Shares

Create a file share and upload a file.
Manage snapshots.

Module 7 Azure Storage 52

 AZ-900

File Sync
Use Azure File Sync to centralize your organization's file shares in Azure Files.
Azure File Sync transforms Windows Server into a quick cache of your Azure file
share.
You can use any protocol that's available on Windows Server to access your data
locally, including SMB, NFS, and FTPS.
You can have as many caches as you need across the world.

Module 7 Azure Storage 53

 AZ-900

File Sync

Module 7 Azure Storage 54

 AZ-900

File Sync
There are many uses and advantages to file sync.
1. Lift and shift. The ability to move applications that require access between
Azure and on-premises systems.
Provide write access to the same data across Windows Servers and Azure Files.
2. Branch Offices. Branch offices need to backup files, or you need to setup a
new server that will connect to Azure storage.

Module 7 Azure Storage 55

 AZ-900

File Sync
3. Backup and Disaster Recovery. Once File Sync is implemented, Azure
Backup will back up your on-premises data.
Also, you can restore file metadata immediately and recall data as needed for
rapid disaster recovery.
4. File Archiving. Only recently accessed data is located on local servers. Non-
used data moves to Azure in what is called Cloud Tiering.

Module 7 Azure Storage 56

 AZ-900

File Sync Components

To gain the most from Azure File Sync, it's important to understand the
terminology.

Module 7 Azure Storage 57

 AZ-900

File Sync Components

Storage Sync Service. The Storage Sync Service resource is a peer of the
storage account resource, and can similarly be deployed to Azure resource
groups.
Storage Sync Service can create sync relationships with multiple storage
accounts via multiple sync groups.

Module 7 Azure Storage 58

 AZ-900

File Sync Components

Sync group. A sync group defines the sync topology for a set of files.
Registered server. The registered server object represents a trust relationship
between your server (or cluster) and the Storage Sync Service.
Azure File Sync agent. The Azure File Sync agent is a downloadable package
that enables Windows Server to be synced with an Azure file share.

Module 7 Azure Storage 59

 AZ-900

File Sync Components

Server endpoint. A server endpoint represents a specific location on a
registered server, such as a folder on a server volume.
Cloud endpoint. A cloud endpoint is an Azure file share that is part of a sync
group.

Module 7 Azure Storage 60

 AZ-900

File Sync Steps

There are several high level steps for configuring File Sync.

Module 7 Azure Storage 61

 AZ-900

File Sync Steps

1. Deploy the Storage Sync Service. The Storage Sync
Service can be deployed from the Azure portal.
You will need to provide Name, Subscription, Resource
Group, and Location.

Module 7 Azure Storage 62

 AZ-900

File Sync Steps

2. Prepare Windows Server to use with Azure File Sync. Preparation steps
include temporarily disabling Internet Explorer Enhanced Security and
ensuring you have latest PowerShell version.
3. Install the Azure File Sync Agent. The Azure File Sync agent is a
downloadable package that enables Windows Server to be synced with an
Azure file share.

Module 7 Azure Storage 63

 AZ-900

File Sync Steps

4. Register Windows Server with Storage Sync Service. When the Azure File
Sync agent installation is finished, the Server Registration UI automatically
opens.
Registering Windows Server with a Storage Sync Service establishes a trust
relationship between your server (or cluster) and the Storage Sync Service.

Module 7 Azure Storage 64

 AZ-900

Managing Storage
Azure Storage Explorer is a standalone app
that makes it easy to work with Azure Storage
data on Windows, macOS, and Linux.
With Storage Explorer you can access multiple
accounts and subscriptions and manage all
your storage content.

Module 7 Azure Storage 65

 AZ-900

Managing Storage
To fully access resources after you sign in.
You need Azure Active Directory (Azure AD)
permissions, which give you access to your
storage account, the containers in the
account, and the data in the containers.

Module 7 Azure Storage 66

 AZ-900

Connecting to storage
● Connect to storage accounts associated with your Azure subscriptions.
● Connect to storage accounts and services that are shared from other Azure
subscriptions.
● Connect to and manage local storage by using the Azure Storage Emulator.
● Connect to an Azure subscription. Manage storage resources that belong to
your Azure subscription.
● Work with local development storage. Manage local storage by using the
Azure Storage Emulator.

Module 7 Azure Storage 67

 AZ-900

Accessing external storage accounts

Storage Explorer lets you attach to external storage accounts so that storage
accounts can be easily shared.
To create the connection you will need the storage Account name and Account key.

Module 7 Azure Storage 68

 AZ-900

Demonstration - Storage Explorer

Download and install Storage Explorer
https://azure.microsoft.com/en-us/products/storage/storage-explorer/
Connect to an Azure subscription
Attach an Azure storage account
Generate a SAS connection string for the account you want to share (Shared
Access Signature)
Attach to a storage account by using a SAS Connection string

Module 7 Azure Storage 69

 AZ-900

Import and Export Service

Azure Import/Export service is used to securely import large amounts of data to
Azure Blob storage and Azure Files by shipping disk drives to an Azure
datacenter.
This service can also be used to transfer data from Azure Blob storage to disk
drives and ship to your on-premises sites.

Module 7 Azure Storage 70

 AZ-900

Usage Cases
when uploading or downloading data over the network is too slow or getting
additional network bandwidth is cost-prohibitive. Scenarios where this would be
useful include:
● Migrating data to the cloud. Move large amounts of data to Azure quickly and
cost effectively.
● Content distribution. Quickly send data to your customer sites.
● Backup. Take backups of your on-premises data to store in Azure blob storage.
● Data recovery. Recover large amount of data stored in blob storage and have it
delivered to your on-premises location.

Module 7 Azure Storage 71

 AZ-900

Import Jobs
An Import job securely transfers large amounts of data to Azure Blob storage
(block and page blobs) and Azure Files by shipping disk drives to an Azure
datacenter.

Module 7 Azure Storage 72

 AZ-900

Export Jobs
Export jobs transfer data from Azure storage to hard disk drives and ship to your
on-premise sites.

Module 7 Azure Storage 73

 AZ-900

Import/Export Tool (WAImportExport)

The Azure Import/Export Tool is the drive preparation and repair tool that you can
use with the Microsoft Azure Import/Export service.

Module 7 Azure Storage 74

 AZ-900

Import/Export Tool (WAImportExport)

You can use the tool for the following functions:
● Before creating an import job, you can use this tool to copy data to the hard
drives you are going to ship to an Azure datacenter.
● After an import job has completed, you can use this tool to repair any blobs that
were corrupted, were missing, or conflicted with other blobs.
● After you receive the drives from a completed export job, you can use this tool
to repair any files that were corrupted or missing on the drives.

Module 7 Azure Storage 75

 AZ-900

Import/Export Tool (WAImportExport)

Import/Export service requires the use of internal SATA II/III HDDs or SSDs.
Each disk contains a single NTFS volume that you encrypt with BitLocker when
preparing the drive.
To prepare a drive, you must connect it to a computer running a 64-bit version of
the Windows client or server operating system and run the WAImportExport tool
from that computer.
The WAImportExport tool handles data copy, volume encryption, and creation of
journal files.
Journal files are necessary to create an import/export job and help ensure the
integrity of the data transfer.

Module 7 Azure Storage 76

 AZ-900

Data Box
Data Box products for both offline and online scenarios.

Module 7 Azure Storage 77

 AZ-900

Data Box for offline scenarios

Use Data Box offline data transfer products to move large amounts of data to
Azure when you’re limited by time, network availability, or costs.
Scenarios for offline data box products include one-time migration, incremental
transfers, and periodic updates.

Module 7 Azure Storage 78

 AZ-900

Data Box for offline scenarios

For example:
● Moving data from offline tapes to archival data in Azure cool storage.
● Moving a media library from offline tapes into Azure to create an online media
library.
● Migrating your VM farm, SQL Server, and applications to Azure
● Moving historical data to Azure for in-depth analysis and reporting, using
HDInsight.
● Moving backup data to Azure for offsite storage.
You can move your data to Azure using common copy tools such as Robocopy.

Module 7 Azure Storage 79

 AZ-900

Data Box

Module 7 Azure Storage 80

 AZ-900

Data Box for online scenarios

Data Box online data transfer products, Data Box Edge and Data Box Gateway,
create a link between your site and Azure storage.
This makes moving data to and from Azure as easy as working with a local
network share.

Module 7 Azure Storage 81

 AZ-900

Data Box Gateway

Data Box Gateway transfers data to and from Azure.
It’s a virtual appliance based on a virtual machine provisioned in your virtualized
environment or hypervisor.
The virtual device resides in your on-premises and you write data to it using the
NFS and SMB protocols.
The device then transfers your data to Azure block blob, page blob, or Azure Files.

Module 7 Azure Storage 82

 AZ-900

Data Box Edge

Data Box Edge is an on-premises physical network appliance transfers data to and
from Azure.
Azure Data Box Edge is an AI-enabled edge computing device with network data
transfer capabilities.

Module 7 Azure Storage 83

 AZ-900

AzCopy
An alternative method for transferring data is AzCopy.
AzCopy v10 is the next-generation command-line utility for copying data
to/from Microsoft Azure Blob and File storage, which offers a redesigned
command-line interface and new architecture for high-performance reliable
data transfers.
Using AzCopy, you can copy data between a file system and a storage account,
or between storage accounts.
AzCopy is available on Windows, Linux, and MacOS.

Module 7 Azure Storage 84

 AZ-900

Demonstration - AzCopy
Install the AzCopy tool
Download a blob from Blob storage to the file system
Upload files to Azure blob storage

Module 7 Azure Storage 85

 AZ-900

Module 07 Lab
Objectives
In this lab, you will:
● Task 1: Provision the lab environment.
● Task 2: Create and configure Azure Storage accounts.
● Task 3: Manage blob storage.
● Task 4: Manage authentication and authorization for Azure Storage.
● Task 5: Create and configure an Azure Files shares.
● Task 6: Manage network access for Azure Storage.

Module 7 Azure Storage 86

AZ-900

Thanks!
Any questions?
You can find me at:
[email protected]
+93 784670845

87