AZ-204 - Azure Storage Accounts
Understanding Storage Accounts
An Azure Storage Account provides a unique namespace for your Azure Storage data, accessible from anywhere via HTTP or HTTPS. It supports Blobs, Files, Queues, Tables, and Disks.
Storage Account Types
| Type | Supported Services | Use Case |
|---|---|---|
| General-purpose v2 (GPv2) | Blob, File, Queue, Table, Disk | Recommended for most scenarios |
| BlockBlobStorage | Block blobs and append blobs only | High transaction rates, low latency |
| FileStorage | Azure Files only | Enterprise file shares with premium performance |
| BlobStorage (legacy) | Block blobs and append blobs | Legacy -- use GPv2 instead |
Blob Storage Tiers
Hot
Optimized for data that is accessed frequently. Highest storage cost, lowest access cost.
Cool
Optimized for data that is infrequently accessed and stored for at least 30 days. Lower storage cost, higher access cost.
Cold
Optimized for data stored for at least 90 days with infrequent access. Lower cost than Cool tier.
Archive
Lowest storage cost but data must be rehydrated before access. Stored for at least 180 days. Access latency can be hours.
Storage Account Settings
Performance Tiers
| Tier | Description |
|---|---|
| Standard | Uses magnetic drives (HDD). Best for general-purpose workloads. |
| Premium | Uses solid-state drives (SSD). Best for low-latency, high-throughput workloads. |
Replication/Redundancy Options
| Option | Description |
|---|---|
| LRS | Locally Redundant Storage -- 3 copies in one datacenter |
| ZRS | Zone-Redundant Storage -- 3 copies across availability zones in one region |
| GRS | Geo-Redundant Storage -- LRS + async replication to a secondary region |
| RA-GRS | Read-Access Geo-Redundant Storage -- GRS with read access to secondary region |
Storage Account Networking and Data Protection
Storage accounts support firewall rules, virtual network service endpoints, and private endpoints to restrict access. Data protection features include soft delete, versioning, and point-in-time restore.
Storage Account Encryption
Azure Storage automatically encrypts all data at rest using 256-bit AES encryption (SSE -- Storage Service Encryption). You can use Microsoft-managed keys or customer-managed keys (CMK) stored in Azure Key Vault.
Upload Files to a Storage Account
Files can be uploaded to Blob Storage via the Azure Portal, Azure CLI, AzCopy, Azure Storage Explorer, or programmatically using Azure SDKs.
Access Keys and SAS Tokens
Access Keys
Each storage account has two access keys (key1 and key2) that provide full access to the entire storage account. Rotate keys regularly and never expose them in client-side code.
Shared Access Signatures (SAS)
Account SAS
Grants access to resources in one or more storage services (Blob, File, Queue, Table) at the account level.
Service SAS
Grants access to resources in a single storage service only (e.g., Blob service).
User Delegation SAS
Secured with Microsoft Entra ID credentials instead of an account key. Most secure SAS type -- recommended for Blob Storage.
AzCopy V10
AzCopy is a command-line utility for copying data to/from Azure Storage accounts. AzCopy v10 supports Blob, File, and Data Lake Storage Gen2.
azcopy sync "localfolder" "https://account.blob.core.windows.net/container?SAS_TOKEN"
StartCopyFromUri Method
The StartCopyFromUri method initiates an asynchronous copy of a blob from a source URI. The source can be any publicly accessible URI or a blob in another storage account authenticated via SAS.
SetMetadata Method
The SetMetadata method sets user-defined metadata on a blob or container as name-value pairs. Metadata is stored as HTTP headers with the x-ms-meta- prefix.
Storage Policies
Stored access policies provide an additional level of control over service-level SAS tokens. They allow you to change the start time, expiry time, or permissions of a SAS without regenerating the token.
Storage Account Lifecycle Management
Lifecycle management policies automate the transition of blob data between access tiers (Hot -> Cool -> Cold -> Archive) or delete blobs based on age or last access time.
Rule-Based Policies
Define rules that automatically move blobs to cooler tiers or delete them after a specified number of days since creation or last modification.
Key Terms
| Term | Definition |
|---|---|
| Blob Storage | Object storage optimized for storing unstructured data such as text, images, videos, and binary data. |
| SAS Token | A Shared Access Signature that provides secure, time-limited, granular access to storage resources without sharing account keys. |
| User Delegation SAS | The most secure SAS type, secured by Microsoft Entra ID credentials rather than a storage account key. |
| AzCopy | A CLI utility for high-performance data transfer to and from Azure Storage. Supports Blob, File, and Data Lake Storage Gen2. |
| Lifecycle Management | Automated policies that transition blobs between access tiers or delete them based on age or access patterns. |
| LRS | Locally Redundant Storage -- three copies of data within a single datacenter. |
| GRS | Geo-Redundant Storage -- LRS plus asynchronous replication to a secondary region. |
| Stored Access Policy | A named policy on a container or queue that controls the lifetime and permissions of one or more SAS tokens. |
- GPv2 is the recommended storage account type for most scenarios.
- Archive tier has the lowest storage cost but requires rehydration (hours) before data access.
- User Delegation SAS (Entra ID) is the most secure SAS type.
- AzCopy is the fastest way to copy large amounts of data to/from Azure Storage.
- Lifecycle management can auto-tier blobs: Hot -> Cool -> Cold -> Archive -> Delete.
- Stored access policies allow you to modify SAS permissions without regenerating them.
- Storage accounts encrypt all data at rest by default with AES-256.
Practice Questions
Q1. Which SAS type is the most secure for granting access to Blob Storage?
- Account SAS
- Service SAS
- User Delegation SAS
- Ad-hoc SAS
Answer: C
User Delegation SAS is the most secure type because it is secured by Microsoft Entra ID credentials rather than a storage account key. It is recommended for Blob Storage access.
Q2. A company wants to store backup data that is rarely accessed and can tolerate rehydration latency of several hours. Which blob access tier is most cost-effective?
- Hot
- Cool
- Cold
- Archive
Answer: D
The Archive tier has the lowest storage cost and is designed for data that can tolerate hours of rehydration latency. Data must be stored for at least 180 days.
Q3. Which redundancy option provides read access to data in a secondary region?
- LRS
- ZRS
- GRS
- RA-GRS
Answer: D
RA-GRS (Read-Access Geo-Redundant Storage) replicates data to a secondary region AND provides read access to the secondary. Standard GRS replicates but does not allow reads from the secondary.
Q4. What advantage do stored access policies provide over ad-hoc SAS tokens?
- Higher throughput
- Ability to modify permissions without regenerating the SAS
- Encryption of the SAS token itself
- Support for multiple storage services
Answer: B
Stored access policies allow you to change the start time, expiry time, or permissions of associated SAS tokens without regenerating them -- providing better control and revocation capability.
Q5. Which tool provides the fastest command-line data transfer to Azure Storage?
- Azure CLI
- AzCopy
- Azure PowerShell
- Azure Storage Explorer
Answer: B
AzCopy is purpose-built for high-performance data transfer to and from Azure Storage accounts, supporting parallel transfers and resumable uploads.
AZ-204 Developing Azure Solutions - Table of Contents
Master all exam topics with comprehensive study guides and practice questions.