Understanding Azure Storage Accounts

Primary service:

• Azure Storage Account
• A Storage Account is the top-level storage container resource in Azure. All Azure storage services live inside a storage account.

Think of it as:

• The control plane container for multiple storage services.

1️⃣ Storage Account = Multi-Service Platform#

A single storage account can host multiple subservices:

📦 Azure Blob Storage#

• Azure Blob Storage
• Object storage service.

Used for:

• Images
• Videos (MP4)
• Audio (MP3)
• Logs
• Backups
• Data lake storage
• VHD files

Types:

• Block blobs
• Page blobs
• Append blobs

Docs:

📁 Azure Files#

• Azure Files
• Managed file shares in the cloud.

Protocols:

• SMB
• NFS

Benefits:

• Fully managed
• Highly available
• No on-prem file server management

Docs:

📨 Azure Queue Storage#

• Azure Queue Storage
• Message-based storage system.

Common in:

• Microservices architectures
• Decoupled systems
• Event-driven apps
• Pattern: Publisher → Queue → Consumer

Docs:

🗄 Azure Table Storage#

• Azure Table Storage
• NoSQL key-value store.

Used for:

• Semi-structured data
• Lightweight structured storage
• Fast lookup workloads

Docs:

2️⃣ Storage Account Endpoint Structure#

Each subservice has its own endpoint:

• https://<storageaccount>.blob.core.windows.net
• https://<storageaccount>.file.core.windows.net
• https://<storageaccount>.queue.core.windows.net
• https://<storageaccount>.table.core.windows.net

Pattern:

• <account-name>.<service>.core.windows.net

Storage account name:

• Globally unique
• 3–24 characters
• Lowercase letters and numbers only

3️⃣ Storage Account Configuration Components#

When creating a storage account, you choose:

🔹 1. Account Type#

Most common:

• General Purpose v2 (GPv2)

Other types:

• BlobStorage (legacy)
• Premium (low latency)

Docs:

🔹 2. Performance Tier#

Premium options:

• Premium Blob
• Premium Files
• Premium Page blobs

🔹 3. Replication (Redundancy)#

• This is a CRITICAL exam concept.

Azure global structure:

• Geography → Region → Availability Zones → Datacenters
• Storage redundancy determines: Where your copies live.

🟢 LRS – Locally Redundant Storage#

3 copies in:

• Single availability zone
• Single region
• If zone fails → data lost
• Lowest cost option.

🟡 ZRS – Zone-Redundant Storage#

3 copies across:

• Multiple availability zones
• Same region
• Protects against zone failure.

🔵 GRS – Geo-Redundant Storage#

3 copies in:

• Primary region

3 copies in:

• Secondary region
• Asynchronous replication.
• Protects against regional failure.

🟣 GZRS – Geo-Zone-Redundant Storage#

3 copies across zones in:

• Primary region

3 copies in:

• Secondary region
• Highest durability without read access.

🔴 RA-GZRS – Read Access Geo-Zone Redundant Storage#

• Same as GZRS
• Read access to secondary region.

Used for:

• Global read scaling
• Disaster recovery readiness

Docs:

4️⃣ Access Tier (Blob Storage Only)#

• Applies to: Blob storage only.

Options:

Important: Archive tier:

• Requires rehydration
• Can take hours to restore

Docs:

5️⃣ Storage Account Security Features#

🔐 Access Keys#

Each storage account provides:

• 2 access keys
• Root-level access
• Best practice: Use Azure AD authentication instead of keys when possible.

🔒 Encryption#

• Data encrypted at rest by default
• Uses Microsoft-managed keys
• Can use customer-managed keys (CMK)

Docs:

🌐 Networking#

Options:

• Public endpoint
• Private endpoint
• Firewall rules
• VNet service endpoints

6️⃣ Data Protection Options#

Optional features:

• Soft delete (blobs, containers)
• Versioning
• Point-in-time restore
• Immutable storage (WORM)

Docs:

7️⃣ Storage Account Architecture View#

Inside portal after deployment:

Essentials#

• Performance
• Replication
• Account kind

Data storage#

• Containers (Blob)
• File shares
• Queues
• Tables

Security + networking#

• Access keys
• Networking
• Encryption

Settings#

• Endpoints
• Configuration
• Tags

8️⃣ High-Level Design Considerations#

When designing storage:

✔ Required durability level ✔ Cost sensitivity ✔ Read scalability needs ✔ Disaster recovery requirements ✔ Access frequency ✔ Performance needs ✔ Security model

9️⃣ Durability Comparison (Important for Exams)#

🔟 Common Exam Pitfalls#

🚩 Storage account name not globally unique → deployment fails 🚩 Archive tier supports instant access → False 🚩 ZRS protects against region failure → False 🚩 LRS stores only 1 copy → False (stores 3) 🚩 GRS provides automatic failover → False (manual failover unless configured) 🚩 Access tier applies to all storage types → False (Blob only)

11️⃣ Real-World Architecture Patterns#

Web App + Blob Storage#

Static content stored in blob.

Microservices + Queue#

Decoupled messaging.

Lift-and-Shift File Server#

Azure Files replaces on-prem server.

Big Data#

Blob Storage + Data Lake.

12️⃣ Conceptual Model#

Think of storage account as:

Control layer ↓ Replication engine ↓ Performance tier ↓ Subservices ↓ Access endpoints

13️⃣ Storage Creation Flow (Portal Summary)#

• Choose resource group
• Enter globally unique name
• Select region
• Choose performance (Standard/Premium)
• Select replication (LRS/ZRS/GRS/GZRS/RA-GZRS)
• Choose default access tier (Hot/Cool)
• Configure networking
• Configure data protection
• Review and deploy

14️⃣ Summary in One Sentence#

• A storage account is a globally unique, highly durable, configurable storage platform that hosts multiple storage services and allows you to choose performance, redundancy, and cost characteristics at deployment time.

If you'd like next:

• 📊 Storage redundancy decision matrix
• 💰 Cost optimization guide for storage
• 🧠 AZ-104 storage exam questions
• 🏗 Storage architecture for enterprise apps
• 🔐 Storage security deep dive
• Tell me your goal (exam vs architecture vs cost optimization).

Hands-on: Create a Secure Storage Account#

Goal: Create a storage account with private defaults, blob data protection, and clear redundancy choices.

1. Open Storage accounts > Create.
2. Choose resource group az104-storage-rg.
3. Set a globally unique name such as az104store<random>.
4. Select Standard performance.
5. Choose redundancy:
   • LRS for low-cost labs.
   • ZRS for zone resilience.
   • GRS or RA-GRS for cross-region durability.
6. On Advanced, enable secure transfer and keep minimum TLS at the current recommended setting.
7. On Data protection, enable blob soft delete, container soft delete, and blob versioning.
8. On Networking, start with public network access enabled for labs, or selected networks for secured practice.
9. Review and create the storage account.
10. Create a private container named lab.
11. Upload a test blob and confirm anonymous access is blocked.

Hands-on: Test Blob Access Tiers#

1. Upload three files to a container named tier-demo.
2. Set one blob to Hot, one to Cool, and one to Archive.
3. Try to download the Archive blob and observe that it must be rehydrated first.
4. Rehydrate the Archive blob to Cool.
5. Review estimated rehydration time and priority.
6. Delete the test blobs after the lab.