Lab 07 - Manage Azure Storage

This lab covers creating and configuring Azure Storage accounts, focusing on Azure blob and Azure files. Focusing on storage Browser to configure and secure Azure file shares, security (network restrictions, SAS), and data lifecycle management.

Scenario: Your organization is migrating on-premises data to Azure Storage. You need to understand how to choose appropriate storage tiers for cost optimization, secure data access, and explore Azure Files as a potential replacement for on-premises file shares.

Key Concepts:

• Storage Account: The fundamental building block for Azure Storage, providing a unique namespace for your data (blobs, files, queues, tables).

• Blob Storage: For storing unstructured data like text or binary files (images, videos, documents).

• Azure Files: Fully managed file shares in the cloud, accessible via the SMB protocol.

• Access Tiers (Blob Storage): Hot, Cool, and Archive tiers optimize cost based on access frequency.

• Redundancy (LRS, ZRS, GRS, RA-GRS): Options for data replication to ensure durability and availability.

• Shared Access Signature (SAS): A secure way to grant limited access to storage resources without sharing your account keys.

• Service Endpoint: Secures access to Azure services (like Storage) from specific virtual networks.

• Immutable Storage: Write-Once, Read-Many (WORM) storage for compliance and data protection.

• Lifecycle Management: Automates moving blobs to different access tiers or deleting them based on rules.

Interactive lab simulations :

• Create blob storage: Set up a storage account, manage blob storage, and monitor activities.

• Manage Azure storage: Configure a storage account, manage blob containers, and set up storage networking.

Job skills

• Task 1: Create and configure a storage account.

• Task 2: Create and configure secure blob storage.

• Task 3: Create and configure secure Azure file storage.

Task 1: Create and Configure a Storage Account

1. Sign In: Log in to the Azure portal (https://portal.azure.com).

2. Create Storage Account: Search for and select "Storage accounts" and click "+ Create."

   • Basics:

     • Resource Group: az104-rg7-lod48852671 (create if it doesn't exist)

     • Storage account name: (Choose a globally unique name, 3-24 lowercase letters and numbers)

     • Performance: Standard

     • Redundancy: Geo-redundant storage (GRS)

     • Make read access to data in the event of regional availability: Checked

   • Advanced: Accept the defaults. Review the options to understand their purpose.

   • Networking:vSelect Disable public access and use private access. This is a security best practice.

   • Data Protection: Accept the defaults. Note the soft delete and versioning options.

   • Encryption: Accept the defaults.

   • Review + Create: Verify and click "Create."

3. Explore Storage Account Settings:

   • Review the "Overview" blade. Note the different storage services (Containers, File shares, Queues, Tables).

   • Security + networking -> Networking:

     • Note that  public access is disabled.

     • Change to: Enabled from selected virtual networks and IP addresses

     • Firewall: Check the box to Add your client IP address.

     • Click "Save."

   • Data management -> Redundancy: Note the primary and secondary locations for your data (due to GRS).

   • Data management -> Lifecycle management:

     • Click "Add a rule."

       • Rule name: Movetocool

       • Limit scope using filters: Uncheck.

       • Click "Next."

       • Base blobs Tab:

       • If: Base blobs were last modified

       • More than: 30 days ago

       • Then: Move to cool storage

       • Click Add.

Task 2: Create and Configure Secure Blob Storage

1. Create Blob Container:

   • In your storage account, under "Data storage," click "Containers."

   • Click "+ Container."

     • Name: data

     • Public access level: (Leave as Private (no anonymous access)) - This is important for security.

   • Click "Create."

2. Configure Immutable Storage (Time-Based Retention):

   • Select your new data container.

   • Click the ellipsis (...) on the far right of the data container row, and select "Access Policy".

   • Under "Immutable blob storage," click "Add policy."

     • Policy type: Time-based retention

     • Set retention period for: 180 days

   • Click "Save."

3. Upload a Blob:

   • Select your data container.

   • Click "Upload."

   • Browse for files: Select a small file to upload (a text file or small image is best). You can use a sample file from the AllFiles directory if needed.

   • Expand "Advanced."

     • Blob type: Block blob

     • Block size: 4 MiB

     • Access tier: Hot

     • Upload to folder: securitytest

     • Encryption scope: Use existing default container scope

   • Click "Upload."

   • Confirm the securitytest folder and your file were uploaded.

4. Test Public Access (Should Fail):

   • Click on your uploaded file.

   • Copy the "URL" property.

   • Open a new InPrivate (or Incognito) browser window and paste the URL. You should receive an error message (like ResourceNotFound or PublicAccessNotPermitted). This is expected because the container is private.

5. Generate a Shared Access Signature (SAS): Select your uploaded file and then select the Generate SAS tab.

• Click on your uploaded file. Click the ellipsis (...) on the far right, and choose "Generate SAS."

  • Signing Key: Key 1

  • Permissions: Read (only)

  • Start date: (Yesterday's date)

  • Start time: (Current time)

  • Expiry date: (Tomorrow's date)

  • Expiry time: (Current time)

  • Allowed IP addresses: (Leave blank) - This is important for controlled access.

• Click "Generate SAS token and URL."

• Copy the "Blob SAS URL."

1. Test SAS URL (Should Succeed):

   • Open a new InPrivate browser window and paste the Blob SAS URL. This time, you should be able to view the file's content. The SAS provides temporary, restricted access.

Task 3: Create and Configure Azure File Storage

1. Create File Share:

   • In your storage account, under "Data storage," click "File shares."

   • Click "+ File share."

     • Name: share1

     • Select the Basics tab.

     • Tiers: Transaction optimized (Keep the default.)

   • Select the Backup tab.

     • Ensure Enable Backup is unchecked.

     • Select Review + Create, and then Create.

   • Wait for the deployment to finish.

2. Explore Storage Browser:

   • Go back to your storage account.

   • Under "Data storage," select "Storage browser."

   • Select "File shares." You should see your share1.

   • Click on share1.

   • Click "+ Add directory" to create a folder (optional).

   • Click "Upload" to upload a test file to the share.

3. Restrict Network Access:

• In the Azure portal, search for and select "Virtual networks."

• Click "+ Create."

  • Resource Group: (Use the same resource group: az104-rg7-lod48852671)

  • Name: vnet1

  • Take defaults on other tabs.

• Select Review + create, then Create

• Wait for the virtual network to deploy, and then select Go to resource.

• Go to "Service endpoints".

• Click Add.

  • Service: Select Microsoft.Storage.

  • Subnets: Select the default subnet.

  • Click Add.

• Go back to your storage account.

• Under "Security + networking," select "Networking."

• Add Existing Virtual Network:

• Add vnet1 and the default subnet.

• Firewall: Delete your client IP address. This restricts access to only the virtual network.

• Click "Save."

4. Test Network Restriction:

• In your storage account, go to "Storage browser."

• Refresh the page. Try to access your file share or blob container. You should now receive an authorization error ("not authorized to perform this operation"). This is because you're no longer connecting from an allowed IP address or the configured virtual network. It may take a few minutes to take effect.