Microsoft Certified Associate: Azure

Administrator AZ-104
Implement and Manage Storage
 A Day in the Life of an Azure Architect

An Azure Administrator has diverse requirements for their cloud-

hosted data. The company has documents, spreadsheets, and videos.
This information needs to be securely shared across the organization
and across geographical areas.

An appropriate storage account for the data is to be established. It is

required to configure secure access and a storage replication strategy.

The company has a large repository of documents used across the

company. The offices are in different geographical regions but need
the most current versions of the documents. The Azure File Shares are
configured to provide a central location for the documents.
 Learning Objectives

By the end of this lesson, you will be able to:

Create and configure storage accounts

Determine replication strategies

Configure Azure Files

Configure storage with tools

Creating and Configuring Storage Accounts
 Features of Azure Storage

Features of Azure Storage:

• It is a service that can be used to store files, messages, tables, and other types of information.

• It is durable, secure, scalable, managed, and accessible.

• It provides storage for virtual machines, unstructured data, and structured data.

• It has two tiers: Premium and Standard.

 Explore Azure Storage Services

A Microsoft object storage solution for the cloud, optimized for storing massive amounts of
unstructured data through services mentioned below:

• Azure Containers: A massively scalable object

store for text and binary data

• Azure Tables: Ideal for storing structured, non-

relational data

• Azure Queues: A messaging store for reliable

messaging between application components

• Azure Files: Managed file shares for cloud or on-

premises deployments

Source: https://docs.microsoft.com/en-us/azure/?product=popular
 Storage Account Types

Azure Storage offers several types of storage accounts:

Storage Account Recommended usage

Standard general-purpose v2 Most scenarios including Blob, File, Queue, Table, and Data Lake Storage

Block blob scenarios with high transactions rates or scenarios that use smaller
Premium block blobs
objects or require consistently low-storage latency

Premium file shares Enterprise or high-performance file share applications

Premium page blobs Premium high-performance page blob scenarios

 Determine Replication Strategies

Data replication in Azure storage account ensures durability and high availability. The
user can ensure data replication by following ways:

LRS ZRS

• Three replicas, one region

• Protects against disk, node, rack • Three replicas, three zones, one region
failures • Protects against disk, node, rack, and
• Write is acknowledged with committed zone failures
replicas • Synchronous writes to all three zones
• Superior to dual-parity RAID

Single region Multiple regions

Typically,>300mi Typically,>300mi

Async Async

Primary Secondary Primary Secondary

Source: https://docs.microsoft.com/en-us/azure/?product=popular
 Determine Replication Strategies

GRS RA-GRS

• Six replicas, two regions (three per • GRS + read access to secondary
region) • Separate secondary endpoint
• Protects against major regional • Recovery point objective (RPO) delay to
disasters secondary can be queried
• Asynchronous copy to secondary

Single region
Multiple regions

Typically,>300mi Typically,>300mi

Async Async

Primary Secondary Primary Secondary

Source: https://docs.microsoft.com/en-us/azure/?product=popular
 Determine Replication Strategies

GZRS RA-GZRS

• Six replicas, 3+1 zones, two regions • GRS + read access to secondary
• Protects against disk, node, rack, zone, • Separate secondary endpoint
and region failures • Recovery point objective (RPO) delay to
• Synchronous writes to all three zones secondary can be queried
and asynchronous copy to secondary

Multiple regions
Typically,
>300mi
Typically,>300mi

Secondary Secondary

Async Async
Read

Source: https://docs.microsoft.com/en-us/azure/?product=popular
Creating a Storage Account Using Azure Portal

Duration: 10 min.

Problem Statement:

Create a Storage account using the Azure portal to use different storage capabilities by Azure.
 Assisted Practice: Guidelines

Steps to create a storage account:

1. Sign in to Azure Portal
2. Locate Storage account blade
3. Click on create Storage account
Creating a Storage Account Using Azure CLI

Duration: 10 min.

Problem Statement:

Create a Storage account using the Azure CLI to use different storage capabilities by Azure.
 Assisted Practice: Guidelines

Steps to create a storage account using Azure CLI:

1. Install Azure CLI
2. Login to Azure
3. Create a resource group
4. Create a storage account
 Access Storage

Every object has a unique URL address based on account name and storage type.

• Container service: https://mystorageaccount.blob.core.windows.net

• Table service: https://mystorageaccount.table.core.windows.net

• Queue service: https://mystorageaccount.queue.core.windows.net

• File service: https://mystorageaccount.file.core.windows.net

A custom domain name can be configured.

An example:
CNAME record Target
blobs.contoso.com contosoblobs.blob.core.windows.net
 Secure Storage Endpoints

These are the necessary steps used to restrict network access to Azure services:

• Firewalls and Virtual Networks restrict access to the Storage Account from specific Subnets on
Virtual Networks or public IPs.

• Subnets and Virtual Networks must exist in the same Azure Region or Region Pair as the
Storage Account.

Source: https://docs.microsoft.com/en-us/azure/?product=popular
 Implement Blob Storage

Blob Storage stores unstructured data in the cloud and can store any type of text or binary data.
It is also referred to as object storage.

Common Uses
Account Container Blob
• Serving images or documents directly to a
browser
Sally pictures img001.jpg
• Storing files for distributed access
• Streaming video and audio
img002.jpg
• Storing data for backup and restore, disaster
recovery, archiving
movies mov1.avi
• Storing data for analysis by an on-premises or
Azure-hosted service

Source: https://docs.microsoft.com/en-us/azure/?product=popular
 Create Blob Storage

Guidelines to create Blob Containers:

• All blobs must be in a container

• Accounts have unlimited containers

• Containers can have unlimited blobs

• Private blobs: No anonymous access

• Blob access: Anonymous public read access for

blobs only

• Container access: Anonymous public read and list

access to the entire container, including the blobs

Source: https://portal.azure.com/
Creating Blob Storage

Duration: 05 min.

Problem Statement:

Create the blob container inside the storage account to hold the unstructured data.
 Assisted Practice: Guidelines

Steps to create blob storage:

1. Go to the Azure portal
2. Create a storage account
3. Create a blob container
 Create Blob Access Tiers

Access tiers by Azure Storage to access blob data:

• Hot tier: Optimized for frequent access of objects in the storage account

• Cool tier: Optimized for storing large amounts of data that is infrequently accessed and stored for at
least 30 days

• Archive: Optimized for data that can tolerate several hours of retrieval latency and will remain in the
Archive tier for at least 180 days

Source: https://portal.azure.com/
 Add Blob Lifecycle Management Rules

The lifecycle management policy allows to:

• Transition blobs to a cooler storage tier to

optimize for performance and cost

• Delete blobs at the end of their lifecycle

• Apply rules to filtered paths in the Storage

account

Source: https://portal.azure.com/
Create Blob Lifecycle Management Rules

Duration: 15 min.

Problem Statement:

Create the Blob lifecycle management rules to store the unstructured data in most cost-
effective manner.
 Assisted Practice: Guidelines

Steps to create Blob lifecycle management rules:

1. Go to the Azure portal
2. Locate the storage account blob
3. Select lifecycle management option
 Determine Blob Object Replication

Features of Blob Object Replication:

Region 1 Region 2
Source account Destination account
• Asynchronous to any other region
SourceContainer1 DestinationContainer1
Asynchronous
Blob1.txt replication Blob1.txt
Blob2.txt Blob2.txt • Minimizes latency for reading requests

Region 3
• Increases efficiency for compute workloads
Destination account

SourceContainer1 DestinationContainer2
Asynchronous • Optimizes data distribution
Blob3.txt replication Blob3.txt
Blob4.txt Blob4.txt

• Optimizes costs

Source: https://portal.azure.com/
 Upload Blobs

Authentication type for Blobs:

• Azure AD user account

• Account key

Types of Blobs include:

• Block blobs (default): Useful for storing text or binary files

• Page blobs: More efficient for frequent read or write operations

• Append blobs: Useful for logging scenarios

Source: https://portal.azure.com/
 Determine Storage Pricing

The following billing considerations are

used while using a storage account:
• Storage costs
• Blob storage
• Data access costs
• Transaction costs
• Geo-replication data transfer costs
• Outbound data transfer costs
• Changing the storage tier

Source: https://portal.azure.com/
 Review Storage Security Strategies

Security capabilities to build secure applications include:

• Storage service encryption

• Authentication with Azure AD and RBAC

• Client-side encryption, HTTPS, and SMB 3.0 for data in transit

• Azure disk encryption

• Shared Access Signatures: Delegated access

• Shared Key: Encrypted signature string

• Anonymous access to containers and blobs

 Create Shared Access Signature

A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources:

• It provides delegated access to resources.

• It grants access to clients without sharing the

storage account keys.

• The account SAS delegates access to resources

in one or more of the storage services.

• The service SAS delegates access to a resource

in just one of the storage services.

Source: https://portal.azure.com/
 Identify URI and SAS Parameters

• An SAS is a signed URI that points to one or more storage resources.

• It consists of a storage resource URI and the SAS token.

https://myaccount.blob.core.windows.net/?sp=r&st=2020-05-
11T18:31:43Z&se=2020-05-12T02:31:43Z&spr=https&sv=2019-10-
10&sr=b&sig=jOqABJZHfUVeBQ3yVn7kWiCKlO0sxCiK1rzEchfAz8U%3D

It includes parameters for the resource URI, the storage services version, the services, the
resource types, the start time, the expiry time, the resource, the permissions, the IP range,
the protocol, and the signature.

Source: https://portal.azure.com/
 Azure Subscriptions and Service Limits

Microsoft Azure limits are also called quotas.

Managing limits

● Some limits apply to the regional level.

● The user can raise soft limits by raising an online customer support request at no
charge.
● These limits keeps on changing.
● To check the latest limits, navigate to:
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-
subscription-service-limits
Create Shared Access Signature

Duration: 10 min.

Problem Statement:

Create Shared Access Signature for the storage account to provide users with a secure access.
 Assisted Practice: Guidelines

Steps to create shared access signature:

1. Go to the Azure portal
2. Locate the storage account blade
3. Create SAS
 Features of Storage Service Encryption

Azure Storage Service Encryption (SSE) for data at rest protects the data by ensuring the
organizational security and compliance commitments are met. Its features include:

• Protects the data for security and compliance

• Encrypts and decrypts the data automatically

• Encrypted through 256-bit AES encryption

• Is enabled for all new and existing storage

accounts and cannot be disabled

• Is transparent to users

Source: https://portal.azure.com/
 Features of Customer Managed Keys

Features of the Customer Managed Keys:

• Use the Azure Key Vault to manage the

encryption keys

• Create encryption keys and store them in a

key vault

• Use Azure Key Vault's APIs to generate

encryption keys

• Use custom keys for more flexibility and

control

Source: https://portal.azure.com/
 Storage Security Best Practices

The following recommendations for using shared access signatures can help mitigate risks:

Always use HTTPS to create or distribute an SAS

Don't assume SAS is always the correct
choice Reference stored access policies where possible

Use near-term expiration times on an

Validate data written using SAS ad hoc SAS

Understand that the account will Use Storage Analytics to monitor the
be billed for any usage application

Be specific with the resource to be Be careful with the SAS start time
accessed
Configure Azure Files
 Compare Azure Files to Azure Blobs

The following table depicts the differences between Azure files and Azure blobs:

Feature Description When to use

Azure SMB interface, client libraries, • Lift and shift an application to the cloud
Files and a REST interface that allows
• Store shared data across multiple virtual
access from anywhere to stored
machines
files
• Store development and debugging tools that
need to be accessed from many virtual
machines

Azure Client libraries and a REST • Support streaming and random-access

Blobs interface that allows scenarios
unstructured data (flat
• Access application data from anywhere
namespace) to be stored and
accessed at a massive scale in
block blobs
 Manage File Shares

Parameters for file share Name and the Quota:

• File share quotas

• Windows: Ensure port 445 is open

• Linux: Mount the drive

• MacOS: Mount the drive

• Secure transfer required: SMB 3.0 encryption

Source: https://portal.azure.com/
 Create File Share Snapshots

Guidelines to create File Share Snapshots:

• Create incremental snapshot that captures the share state at a point
in time and read-only copy of the data
• Delete Snapshot at the file share level and restore at the file level
• Protect against application error and data corruption
• Protect against accidental deletions or unintended changes
• Retain only the most recent share snapshot in order to restore the
share

Source: https://portal.azure.com/
Create Azure File Share

Duration: 10 min.

Problem Statement:

As an Azure Administrator, recommend a distributed File server service to deploy to Azure.

 Assisted Practice: Guidelines

Steps to create Azure file share:

1. Go to the Azure portal
2. Navigate to the storage account
3. Select the file share option to create the file share
Create an Azure File Share Snapshot

Duration: 10 min.

Problem Statement:

As an Azure Administrator, recommend a backup method for distributed File server service
that has been deployed to Azure.
 Assisted Practice: Guidelines

Steps to create an Azure file share snapshot:

1. Go to the Azure portal
2. Navigate to the storage account
3. Locate the file share
4. Select the create snapshot option to create the snapshot
 Implement Azure File Sync

Centralize an organization's file shares in Azure Files while keeping the

flexibility, performance, and compatibility of an on-premises file server.
• Lift and shift
• Branch office backups
• Backup and disaster Recovery
• File archiving

Source: https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-planning
 Identify File Sync Components

Components of the Storage Sync Service:

• The Storage Sync Service is the top-level resource.

• The registered server object represents a trust

relationship between the server (or cluster) and the
Storage Sync Service.

• The Azure File Sync agent is a downloadable

package that enables Windows Server to be synced
with an Azure file share.

• A server endpoint represents a specific location on

a registered server, such as a folder.

• A cloud endpoint is an Azure file share.

• A sync group defines which files are kept in sync.

Source: https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-planning
 Setup File Sync

Steps to setup File Sync:

Source: https://docs.microsoft.com/en-us/azure/storage/file-sync/file-sync-planning
Deploy File Sync

Duration: 10 min.

Problem Statement:

You've been given the task of creating a guest user so that you can invite an external user to
collaborate with your company by adding the user to your directory as a guest user.
 Assisted Practice: Guidelines

Steps to deploy Azure file sync:

1. Prepare windows server to use Azure file sync
2. Deploy storage sync service
3. Install Azure file sync agent
4. Register windows server with storage sync service
5. Create sync group and cloud endpoint
6. Create a server endpoint
Configure Storage with Tools
 Use Storage Explorer

Uses of Azure Storage Explorer are:

• Access multiple accounts and

subscriptions

• Create, delete, view, edit storage

resources

• View and edit Blob, Queue, Table, File,

Cosmos DB storage, and Data Lake
Storage

• Obtain shared access signature (SAS)

keys

• Available for Windows, Mac, and Linux

Source: https://portal.azure.com/
Use Azure Storage Explorer

Duration: 10 min.

Problem Statement:

Install and explore Azure storage explorer to manage the storage account directly from local
system instead of going to Azure portal.
 Assisted Practice: Guidelines

Steps to configure Azure storage explorer:

1. Install Azure storage explorer
2. Launch the explorer
3. Connect to the Azure account
 Use the Import and Export Services

Import jobs: Move large

amounts of data to Azure
blob storage or files

Export jobs: Move large

amounts of data from Azure
blob storage (not files)

Source: https://docs.microsoft.com/en-us/azure/?product=popular
 Use AzCopy

An alternative method for transferring data is AzCopy.

Azcopy copy [source] [destination] [flags]

• Command line utility

• Available on Windows, Linux, and macOS

• Designed for copying data to and from Azure Blob, File, and Table storage

• Authentication options include Active Directory or SAS token

Use AzCopy

Duration: 10 min.

Problem Statement:

Install and use AzCopy to manage your storage account directly from your local system
instead of going to Azure portal.
 Assisted Practice: Guidelines

Steps to configure AzCopy:

1. Install AzCopy
2. Use Azcopy Command to upload or download blobs from the storage account
 Key Takeaways

The storage account provides a unique namespace for Azure

Storage data objects.

Data objects can be blobs, files, queues, tables, and disks.

Azure Blob storage is optimized for storing massive amounts of

unstructured data.

Secure Azure storage comes with shared access signatures,

storage service encryption, and customer-managed keys.
 Key Takeaways

Azure Files offers fully managed file shares in the cloud that are
accessible via SMB protocol or NFS protocol.

Azure File Sync is a service that allows to cache several Azure

file shares on an on-premises Windows Server or cloud VM.

AzCopy is a command-line utility that can be used to copy blobs or

files to or from a storage account.

Azure Import or Export service is used to securely import large

amounts of data to Azure Blob storage and Azure Files.
 Implementing Stored Access Policy

Project agenda: To implement the stored access policy Duration: 20 min.

Description: Create a traffic manager to route the traffic for

a web application based on performance. As a part of this,
create two web applications, each in two different regions,
and place them behind the traffic manager to route the
traffic to appropriate applications based on performance.

Perform the following:

Create two web applications in two different regions and
use a traffic manager to route the traffic based upon
performance.