Getting the Most From Azure Storage
The course is part of these learning pathsSee 3 more
The Azure Storage suite of services form the core foundation of much of the rest of the Azure services ecosystem. Blobs are low-level data primitives that can store any data type and size. Tables provide inexpensive, scalable NoSQL storage of key/value data pairs. Azure queues provide a messaging substrate to asynchronously and reliably connect distinct elements of a distributed system. Azure files provide an SMB-compatible file system for enabling lift-and-shift scenarios of legacy applications that use file shares. Azure disks provide consistent, high-performance storage for virtual machines running in the cloud.
In this Introduction to Azure Storage course you'll learn about the features of these core services, and see demonstrations of their use. Specifically, you will:
- Define the major components of Azure Storage
- Understand the different types of blobs and their intended use
- Learn basic programming APIs for table storage
- Discover how queues are used to pipeline cloud compute node together
- Learn to integrate Azure files with multiple applications
- Understand the tradeoffs between standard/premium storage and unmanaged/managed disks
Okay, so our grand tour of Azure Storage will, as you might expect, begin in the Azure Portal. So I'll assume that you've, that you have an Azure subscription, you've logged into the Portal using your credentials, and so now we're going to create a new Azure Storage account. To do that I'll go to the upper left hand side, I'll click New, and then type storage account.
Click a couple more times, and then, okay now I'm prompted for some information, just like any other Azure resource I ave to add a little bit of input information before my resource is created for me. The first thing you need to do is give your storage account a unique name. This name does need to be unique across all of Azure, not just a particular region, or your particular subscription.
It actually has to be globally unique. And the portal will help you a little bit. If I enter something that's probably very common like Temp, for example, then you can see I get a warning here saying that this one already exists. The reason why this has to be unique is because this name is the DNS name that you use to, in a connection string, to connect to your account, to perform management or data operations against the resources in your account, and so this ultimately it has to be unique, again, globally.
So I'll just try something, Joshtemp, Temp Josh 22, yeah sure. Okay, deployment model. So you have the choice of the more modern resource manager deployment model or the classic deployment model with your storage account. Quite frankly, the classic model is a legacy model. It existed when Azure was first created.
It's really not, there is really no practical reason for you to choose it over the resource manager model, at this point in time. There may be edge cases where somebody requires you to do that, but by and large, the deployment model that you want is resource manager, so just stick with that one, which is, of course, the default.
You can also choose a type of account that you want to create, whether it's a general purpose account or a blob storage account. Now, the name is a little confusing here. You can still create blobs with a general purpose storage account, and as the name implies, typically you want to create and want to use a general purpose account.
The blob storage accounts are particularly useful for creating, or for designating hot or cool storage tiers with blobs. And that's something we'll explore a little bit later in the course. For now, I'm just going to pick general purpose, and for the most part, that's typically what you're going to use if you're creating your own storage accounts.
You can choose a premium or standard performance tiers. As you might expect, the standard tier is a little bit cheaper. The premium tier is obviously more expensive, but offers you a higher amount of throughput, if you need it for things like, really IO-intensive data analytics or scientific computing, that sort of thing.
That's not to say that the standard tier performs poorly. Generally speaking, it actually performs quite well. So for the most part, I would say, err on the side of, or at least start with the standard tier, and if that one is not efficient for your needs, then of course you can bump up and choose the premium tier, if you like.
From a replication standpoint, I'm going to choose locally redundant storage, which means that I end up with three copies of my data, of all the data that's in my storage account in a single datacenter. Of course, if you want better redundancy for high availability and fail-over purposes, then you can choose some of the other options, as we discussed in the course.
I'm going to choose locally redundant here. I can opt into storage service encryption, so I can essentially have transparent encryption at rest for all of the data that's stored in my account. In this case I'm just going to leave that disabled, but just know that you have that option, if you need it. Pick a subscription.
Of course, I'm just going to use the standard, or the default one that's already here. And then, of course, just like any other resource, I can choose to create a new resource group or an existing one, within which to put my new storage account. Ultimately, I'm not going to actually create this account, I have one that exists already that I'm going to navigate to and do some work with.
So I'm going to close out of this, but of course, if you were going to create your account, you would just complete it and click the Create button. So let me back all the way out, and I will navigate to my storage account that I've already created. So this storage account is called Josh Intro Storage.
I have a little bit of configuration that I'll show you in a moment, that I've already done to it, so that I can show you a couple of other things around security. But when you see the user interface for storage, you unsurprisingly have access to things like the blobs, files, tables, and queues that are children of that storage account, so that's something that you would expect.
Some of the other features that you can navigate and access in here, first, you can certainly access the access control portion of the storage account to configure who has access to the account and what they can do with it. I'm going to show you some of those details in a moment. Beyond that, you also have access to the access keys.
So as we discussed, a storage account has a primary and a secondary access key associated with it and that's created for you when the storage account is created. You can rotate those keys as much as you need to. Generally speaking, as we've talked about, these keys are not something that you should be using for programmatic access.
You can hand these keys out to and use them in applications that connect to your storage account, but generally speaking, that's not a great idea. It's better to use shared access signature tokens. And we'll demonstrate that, in a later demo in the course. But just know that these, if you need to access these management keys, this is where you would find them.
Oh, I closed out of my account. Alright, this is also where you can find, we were talking about shared access signatures just a moment ago. This is where you can find access to create those and manage those. Find that in here. And then again, like we said, you have access to things like the blobs, the files, tables, and queues that are part of this storage account.
Okay, so specifically, let me navigate into the blob containers. You can see that I've already created one container in here called Images. And if I navigate into this, I have a single image already here. And If I click on this, I can download it, and I can show it to you, and this is just a picture of my dog, June, next to a river, being kind of crazy as she normally is.
So at any rate, I have access to this because I'm the administrator of this account and I added this blob so of course, by default, I have access to this blob. Right now, nobody else has access to it. Only somebody who is an administrator essentially can access that blob. But what I'd like to do is demonstrate from a management standpoint, kind of at a top-level, demonstrate designating management authority, or review authority for another user into my storage account.
And so, what I want to show you, is if I back out of this for a moment, show you that I have another user already added in my subscription. And this is Sally Sue. And if I click on the, here we are, you can see the groups, generally speaking permissions are assigned by group in Azure role-based access control.
And so, you can see for this user, Sally Sue, she's not assigned to any groups. There's nothing, for intents and purposes, there's nothing she can do right now within my subscription. She exists, and she's there. She can log in, but when she does log in she really doesn't have immediate access to any of the existing resources.
In fact, if I put you over to another window in my browser, you can see that if we look on the upper right hand side here, you can see that I'm logged in as Sally, and if we look at the resources, if I click on All Resources, you can see that the list is empty. Again, meaning that Sally doesn't have access to any of the existing resources that are already in the subscription.
So what I want to do is I want to assign rights to Sally so that she can look at that storage account that I've already created. So if I click back to the browser window where I'm logged in as administrator, and I go back to my storage account, and click on Access Control, then you can see that I have a single rule in here already that says, and this is created for my by default.
I didn't do anything to create this myself. But this, I have a rule that says, of course, subscription admins can, they are assigned the owner role, which for all intents and purposes means that admins can do everything in a subscription, and of course that makes sense. So let's add a new rule in here.
We'll click Add. And the role that we want to assign to Sally is Contributor. Now, to be clear, I am assigning Sally as a contributor, to be a contributor within the scope of this storage account. Not the entire subscription. Not everything in Azure that I own as an administrator. Merely this storage account.
So again, the idea here is, because we're thinking about storage and we want to understand how to configure and work with storage, this is something that you would do after you create a storage account if you're going to be using it in any sort of production capacity. You would then immediately go in to this user interface and you would assign the specific privileges and roles that you want to assign to individual users.
And so Sally could be a contributor on this storage account but perhaps have no other access to any other storage accounts. That sort of selectivity is certainly possible, and granularity is possible with role-based access control and certainly with storage accounts. So, we've got the contributor role.
We're going to assign Sally Sue to that, so I'll click Save. And that should take just a moment. And yes, we see Sally is assigned, Sally is assigned as a contributor. So, if we go back to the window where Sally's logged in, if we click refresh, we're actually not going to see anything here yet, because we unfortunately, we have to log out of the portal, and then log Sally back in for her to see kind of her updated privileges.
So let's go ahead and sign out. And now I will log her back in, and now you can see, if we look at All Resources here, we can actually see that the storage account that we just assigned her privileges to. Now we see it show up in the list of things that she can look at. So we'll drill into that, and you can see this is the storage account.
Again, this is, if I look up on the upper right hand side, this is Sally logged in. And so if we click on Blobs, we see the Images container that we've created in our Blob storage, and there's our image. So if I click on that, and click Download, then there's Juney again, next to the stream. Okay, so hopefully that gives you a sense of how to configure top-level management permissions with Azure Storage.
And of course, there's a lot more granularity that you can get into with this, and you can assign permissions to specific resources, and not just the entire storage account itself, and of course, you can assign privileges across multiple storage accounts as you need to.
About the Author
Josh Lane is a Microsoft Azure MVP and Azure Trainer and Researcher at Cloud Academy. He’s spent almost twenty years architecting and building enterprise software for companies around the world, in industries as diverse as financial services, insurance, energy, education, and telecom. He loves the challenges that come with designing, building, and running software at scale. Away from the keyboard you'll find him crashing his mountain bike, drumming quasi-rythmically, spending time outdoors with his wife and daughters, or drinking good beer with good friends.