Mastering Azure Blob Storage: From Secure Access to Smart Replication

-

 

I have outlined the following requirements for the company's storage needs for its offices and departments. This content is private to the company and should not be shared without consent. The storage solution must ensure high availability during regional power outages. Additionally, I propose using this storage space to back up the public website.

Architecture Diagram





 I have designed a diagram featuring a storage account with two blob containers.

Tasks

  1. Create a storage account for the company's private documents.
  2. Configure redundancy for the storage account.
  3. Set up a shared access signature to provide partners with limited access to a specific file.
  4. Back up the public website storage.
  5. Implement lifecycle management to move content to the cold tier.


1- Create a storage account and configure high availability.



  1. Search for and select "Storage accounts" in the portal.
  2. Click "+ Create".
  3. Choose the resource group or create a new.
  4. Name the storage account  e.g. "private" and add a unique identifier to ensure the name is distinct.
  5. This storage must ensure high availability in case of a regional outage. Read access to the secondary region is not required. Configure the appropriate redundancy level:
    1. In the storage account setup, under the "Data management" section, open the "Redundancy" blade.
    2. Ensure that "Geo-redundant storage (GRS)" is selected.
    3. Review the information about the primary and secondary locations.
  6. Select "Review and create" to set up the storage account.





2- Create a storage container, upload a file, and restrict access to the file
  1. In the storage account, under the "Data storage" section, select the "Containers" blade.
  2. Click "+ Container".
  3. Set the name of the container to "private".
  4. Ensure the public access level is set to "Private (no anonymous access)".
  5. As needed, review the Advanced settings, but use the default values.
  6. Click "Create" to set up the private container.
  7. For testing, upload a file to the private container:
    • Select the container.
    • Click "Upload".
    • Browse to files, select a small image or text file, and upload it.
    • Select the uploaded file.
    • On the "Overview" tab, copy the URL.
    • Paste the URL into a new browser tab.
    • Verify the file does not display and an error is received, confirming restricted access.


3- Configure and test a Shared Access Signature (SAS) to grant an external partner read and write access to a file for at least the next 24 hours.

  1. Select the uploaded blob file and navigate to the "Generate SAS" tab.

  2. In the "Permissions" dropdown menu, ensure the partner has both read and write permissions.
  3. Verify that the start and expiry date/time are set within the next 24 hours.
  4. Click "Generate SAS token and URL".
  5. Copy the Blob SAS URL to a new browser tab.

  6. Confirm access to the file: if it’s an image file, it displays in the browser; other file types download.

4- Configure storage access tiers and content replication, focusing on cost-saving by moving blobs from the hot tier to the cool tier after 30 days using Azure Blob storage lifecycle management.

  1. Return to the storage account.
  2. In the "Overview" section, confirm the "Default access tier" is set to "Hot".

  3. In the "Data management" section, select the "Lifecycle management" blade.
  4. Click "Add rule".
  5. Set the "Rule name" to "movetocool".
  6. Set the "Rule scope" to "Apply rule to all blobs in the storage account".

  7. Click "Next".
  8. Ensure "Last modified" is selected.
  9. Set "More than (days ago)" to 30.
  10. In the "Then" dropdown, select "Move to cool storage".
  11. As needed, review other lifecycle options in the dropdown.

  12. Add the rule to complete the configuration.



5- configure backup for public files, including optional replication between two storage accounts.

  1. Create a storage account named "public" if one doesn’t already exist.
  2. In the storage account, create a new container named "backup" with default values.
  3. Navigate to the "public" storage account, which has been set up.
  4. In the "Data management" section, select the "Object replication" blade.
  5. To configure replication between two storage accounts if desired, set the following:
    • Set the "Destination storage account" to the private storage account.
    • Set the "Source container" to "public" and the "Destination container" to "backup".
    • Create the replication rule.

  6. Optionally, as time permits, upload a file to the "public" container. Then, return to the private storage account, refresh the "backup" container, and within a few minutes, verify the public website file appears in the backup folder.





⚠️ Note: Prefix Filters

A prefix filter limits replication to blobs whose names start with a specific string (e.g., images/ or log). Wildcards like * or ? are not supported.

Examples:

  • Prefix log → Matches log2024.csv, log_error.txt (but not mylog.txt)

  • Prefix images/ → Matches images/cat.jpg (but not pictures/cat.jpg)

You can add up to 5 filters. Leave empty to replicate all blobs in the container. Use filters if you only want to replicate specific files or folders.

Kommentarer

Skicka en kommentar

Populära inlägg i den här bloggen

🚀 IntuneWin – Deploying Win32 Apps via Intune 🎯

-
Bild
🔹 Benefits of IntuneWin: ✅ Seamless app packaging 📦 ✅ Automated deployment ⚙️ ✅ Centralized cloud management ☁️ ✅ Support for installation & uninstallation 🔄 The IntuneWin format is a method for preprocessing Windows Classic (Win32) applications. The tool transforms application installation files into the .intunewin format. Once you apply this tool to the app packaging folder, you can create an app enrollment configuration that enables advanced deployment features, such as OS version dependencies and uninstallation methods for remote application removal. Win32 apps in Intune size limit of 30 GB per app. To start the configuration 1- First you need to download the Microsoft Win32 Content Prep Tool :  Microsoft Win32 Content Prep Tool 2-  Unzip the tool to a folder, E, C , F etc drive (you can choose any folder you like). 3- Save your application  in the same folder as the Content Prep tools.  4- Now we will create the .intunewin package using PowerS...
Read more »

Boost Your Graphics Power med GPU-acceleration i Azure Virtual Desktop!

-
Bild
  🎯 Purpose Optimize performance for Remote Desktop sessions by enabling GPU acceleration and video optimization via Microsoft Intune or Group Policy (GPO). 🧠 Prerequisites & Requirements Required skills: Basic knowledge of Windows device management Experience with Microsoft Intune or Group Policy Understanding of Remote Desktop (RDP/AVD) concepts Technical requirements: Windows 10/11 on session hosts GPU-enabled VMs (e.g., NVv3, NVadsA10 v5, NCasT4_v3) Microsoft HEVC codec installed on client devices Proper GPU drivers installed (NVIDIA GRID or AMD) 1. Sign in Go to: https://intune.microsoft.com 2. Create or edit a configuration profile Go to Devices > Configuration profiles Click Create profile Select: Platform: Windows 10 and later Profile type: Settings catalog 3. Add settings Click Add settings and browse to: Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host ...
Read more »

Block Personal devices to acces to Desktop apps like teams, Onedrive etc and how to troubleshooting the issue.

-
Bild
  You can use Conditional Access to block users based on location, IP address, and more, but now we will talk about blocking access for users who are using personal devices 1. Navigate to Entra ID -> Protection -> Conditional Access and create a new policy. 2- Create new policy 3-   Name your policy Assign your policy to a user/group or to all users. If you assign the policy to all users, be sure to exclude the break-glass account. It's essential to always have a break-glass account in place. In case of an error, you could accidentally lock out all users, so make sure these accounts remain unaffected. 4- In the Target resources select All resources (formerly 'All cloud apps') 5- In the conditions: Device platforms: select which devices you want the policy to apply to. In my case i will select windows and MacOS  Client apps: check all boxes except Browser, which will block everything except the browser. Here’s the magic: In the Filter for devices, you can ...
Read more »