Just like in your computer system where your data are stored within/under the file explorer with different file names, that is similar to Azure storage accounts. The storage account provides a unique namespace for your Azure Storage data that's accessible from anywhere in the world over HTTP or HTTPS. Data in your storage account is durable and highly available, secure, and massively scalable.
Again, your computer system organises the stored data into pictures, videos, downloads, music and documents but in the case of Azure storage, the data storage is grouped into Blobs (Containers), Files, Tables and Queues. However, we will be focusing on blobs, which are for unstructured data, in this article.
How to create a storage account, a blob container, generating a shared access signature (SAS), changing your access tier and deleting your storage account will be the focus of our demonstration in this write up.
To be able to create an Azure blob storage, you must have a Microsoft Azure account or subscription. You can use the link to create a free account or log in to Azure portal to start.
CREATE YOUR STORAGE ACCOUNT
a. Log or sign in to your Azure account
b. Search for “Storage accounts” on the search bar and click on it to open
c. Click “Create” or “Create storage account” on the storage account page to go to the next page
BASICS
This contains some segments that need to be completed.
Project details
a. Leave subscription as default “Azure subscription 1”.
b. Click on the drop down arrow to use an existing resource group or click on “Create new” to create a new resource group.
Instance details
a. Name your storage account. The name must be unique within Azure and only lower case letters are admissible.
b. Click on the drop down and select the region where you want the storage to be located or deployed to.
c. Click on the drop down for “Primary service” and select Azure Blob Storage or Azure Data Lake Storage Gen 2.
d. Choose “Standard” for the performance, which is recommended for most scenarios. It is lower in cost than the Premium. However, if your work requires low latency (delay), you can choose premium.
e. Click on the drop down arrow for “Redundancy” and choose “Geo-redundant storage (GRS)” which has failover capabilities in a secondary region and recommended for backup scenarios.
f. Click on “Next” to go to the next page.
ADVANCED
a. Tick the box to “Allow enabling anonymous access on individual containers”, under security
“Cross-tenant replication” enables replication of data across different Microsoft Entra tenants which allows for redundancy and disaster recovery across organisational boundaries. It has a good advantage at data accessibility and sharing but poses a significant security risk if not managed properly.
We will not be allowing Cross tenant replication hence the box will be left as default, unticked.
b. Choose the access tier you would like for your account. For this demonstration, “Hot” tier.
Hot tier is for frequently accessed data with highest storage cost but lowest access cost while archive is for data that is rarely accessed, stored for a minimum of 180 days and has the lowest storage cost but highest access cost.
Cool and cold tiers fall between hot and archive with their storage costs higher than the archive but lower than hot and access costs lower than archive but higher than hot tier.
Archive tier is not listed but a storage account can be changed to archive after the account and container has been created.
c. Click on “Next” to go to the next page.
NETWORKING
a. Leave the network access as default, “Enable public access from all networks”
The URL of the storage can be accessed over the internet by the public if public access from all networks is enabled but it becomes private and accessible to you alone if it is disabled.
A private endpoint is a network interface that uses a private IP address from your virtual network. This connects you privately and securely to a service via your virtual network through the help of Azure Private Link.
b. Leave “Private end point” as default . Do not add any private end point.
c. Network routing also left as default, “Microsoft network routing”
d. Click on “Next” to go to the next page, Data protection
DATA PROTECTION
Enable soft delete for blobs, containers and file shares to allow the restoration of data that were previously marked for deletion.
a. You can click on the columns for days to retain deleted blobs, containers and file shares to increase or decrease the number of days.
b. Tracking (versioning of blobs and blob change feed) will be left as default because Point in time restoration for containers was disabled.
NB: Versioning of blobs and blob change feed can only be enabled if you want to enable point in time restoration for containers.
c. Click on “Next” to go to the next page
ENCRYPTION
Default state maintained: Encryption type is Microsoft managed keys (MMK) and enabled support for customer managed keys are for blobs and files only.
Click on “Review and create” as the next page “TAGS” will be left as default too.
REVIEW AND CREATE
On this page, you can review your configurations and settings of the different pages. You are able to go back to adjust or modify any choice.
Click on “Create” to continue to the storage account creation.
DEPLOYMENT COMPLETE
The page will show that deployment is in progress after you have clicked Create.
Deployment will be complete after some seconds or a within a minute or two.
Click on “Go to resource”.
The storage account has been created successfully, so we will go ahead to create a container.
CREATING YOUR CONTAINER
a. Move to the left sidebar, click on the drop down arrow for storage and select “Containers”.
b. Click on “+ Container” which means Add container to create a container.
c. Name your container
d. Click on the dropdown menu for Anonymous access level and choose “Container (anonymous read access for containers and blobs)”.
NB: If the Anonymous access level was not enabled for this storage account, it will show “Private (no anonymous access)” in the column and it cannot be changed at this stage.
e. Click on “Create”
NB: When you choose Container (anonymous read access for containers and blobs), a message will pop out below the column to notify you of what happens when you choose that “Anonymous access level”.
At this point, we have succeeded in creating a container within the storage account.
Upload file into container
To upload data into a container, take the following steps:
a. Double click or open the container that had been created
b. Click on “Upload” at the top of the screen, and a box pops up
c. Drag and drop files or click on “Browse for files” to add documents or files into the blob container
d. Choose a document/file from your file explorer and upload
e. Click on “Upload”
File uploaded
You will notice that the file has been uploaded into the container as in the image below.
GENERATE SAS UNIFORM RESOURCE LOCATOR (SAS URL)
SAS (Shared Access Signature) grants limited delegated access to Azure storage resources in a storage account. This gives you control over how a client/user accesses your stored data. A URL (Uniform Resource Locator) is a unique identifier used to locate a resource on the internet. When a SAS URL is generated and shared with a client, they can view or access the data or file in you storage account for a limited time (depending on the owner) and perform the tasks that you gave them permission to.
a. To generate SAS, click on the uploaded file and click on “Generate SAS”
Permissions
b. Click on the drop down for Permissions and select “Read”.
This gives the person/user you share the file (via URL) with, the permission to “only” Read the document and not be able to perform any other task.
Generate SAS Token and URL
c. Edit the start date and time: This will be the time that the user(s) will be able to view the file. The file will be unavailable to view before this date and time.
d. Edit the stop date and time: User(s) will not be able to view the file after this date and time.
e. Click on “Generate SAS token and URL”
f. Select HTTPS and HTTP for the Allowed protocols.
To see how this works and what the client can access and the task they can perform on your file;
g. Copy the SAS URL as highlighted below
h. Open a new browser page/window and paste the URL in it and enter/go
The shared file can be viewed like the image below, if it was within the dates and time set up
Error message after time and date elapsed
If a user wants to access the file after the time set up had elapsed, they will get an error message like the one below which will show the expiry date and time for the viewing of the file.
Same goes with viewing the file before the start date and time, a similar error message comes up to show that it id not yet time for the file to be viewed.
Change of tier
Some document may not be accessed for a very long time (>180 days) and there may be a need to change the tier to Archive.
NB: This is for demonstration purposes only as the “Hot tier” was retained in this article.
Remain on the uploaded file page where the overview shows the properties of the container’s file
a. Click on “Change tier”
b. Click on the drop down for the Access tier column and choose “Archive”, in the box that pops up.
You will be notified below that the change in tier may result in extra charges and a possibility that your Blob will be inaccessible for sometime.
c. Confirm your choice by clicking “Save”.
Deleting your storage account
To delete your storage account to avoid incurring extra charges:
a. Go back to the Storage accounts page
b. Click on “Delete” at the top right corner of the page
c. Box pops out to confirm deletion, click on “Delete”
d. Enter “Delete” in the box to confirm again
e. Click on “Delete” to complete the process.
NB: Remember that this storage account will be soft deleted and can be retrieved within 7 days (selected number of days) as was entered in the Data Protection page during the creation of the storage account.
Hope this was helpful!