Azure Storage is Microsoft’s cloud platform for scalable, modern data storage. If the number of options overwhelms you, then keep reading. Each Azure storage offering will be broken down into simple terms, while also addressing other things to consider when choosing a solution.
To make things easier for users, Azure Storage offerings are:
- Highly available
However, there’s not just one storage solution that fits all workflows. First, we’ll review the primary services in Azure Storage.
Core Storage Services
Azure Storage offers five core services: Blobs, Files, Queues, Tables, and Disks. Let’s explore each and establish some common use cases.
Azure Blobs is Microsoft’s cloud object storage service for BLOBs (Binary Large Objects), which excels in random access scenarios. This storage type is typically used for unstructured data, such as documents, images, logs, audio, and video, including all associated metadata and organized into containers (think of this as a pseudo folder structure for the flat object namespace).
Common use cases include:
- Hosting data for websites or apps
- Streaming video or audio
- Log files
- Backup, disaster recovery, and archive
- Azure Data Lake big data analytics
Azure Files is Microsoft’s SMB implementation in the cloud. Think of it like Network Attached Storage (NAS). These shares are highly available from anywhere in the world and can be mounted directly on Windows, macOS, and Linux clients via SMB. This is traditional file storage in a folder hierarchy like you’d expect when using the SMB protocol.
Microsoft advertises this offering as a cloud NAS solution for end-user data, although the most common use I’ve found is “lifting and shifting” on-premises applications to the cloud that already use native APIs and SMB. Azure Files certainly can be used as a cloud replacement for on-premises NAS, but there are other solutions out there that do a better job.
For application development, if you have VMs running in Azure that need access to centralized dev/debug tools or logging then Azure Files is a quick solution that’s already in the same cloud as those VMs.
However, there are some SMB features not currently supported by Azure Files (listed here), which should be considered when deciding if Azure Files is the right storage solution for your workflow.
Azure Queues are used for asynchronous messaging between application components, which is especially useful when decoupling those components (ex. microservices) while retaining communication between them. Another benefit is that these messages are easily accessible via HTTP and HTTPS.
In addition to Azure Storage Queues, Microsoft also offers Service Bus Queues for more advanced messaging integration patterns. The differences between Azure Storage Queues and Service Bus Queues are explained in more detail here.
Azure Tables are structured, schema-less NoSQL data stores in the cloud. Tables are commonly used to store flexible datasets such as user data for a web application and other kinds of metadata.
In addition to Tables, Microsoft has other database offerings such as their premium NoSQL Cosmos DB as well as many other SQL and NoSQL solutions. The differences between Azure Tables and Azure Cosmos DB are outlined here.
Azure Disks are used as persistent block-level storage attached to VMs in Azure. If you run any VMs in Azure, then you’re probably already using Azure Disks. Outside of VMs you probably won’t find yourself using Azure Disks, but it’s technically part of the Azure Storage family so it’s worth mentioning.
The three data tiers that Azure offers for storage products are designed to help you save money, especially if all data doesn’t need to be readily available for on-demand retrieval:
- Hot Tier optimizes the storage for frequently accessed data.
- Cool Tier optimizes storage for infrequently accessed data, which must be stored for at least 30-days.
- Archive Tier optimizes the storage for rarely accessed data, which must be stored for at least 180-days. The retrieval latency time is also flexible at this tier, on the order of hours.
With Cool and Archive tiers, there are early deletion charges if data doesn’t reside in Azure for the required number of days (30 and 180, respectively). Per Microsoft, “This charge is prorated. For example, if a blob is moved to archive and then deleted or moved to the hot tier after 45 days, you’ll be charged an early deletion fee equivalent to 135 (180 minus 45) days of storing that blob in archive.”
The Hot tier is the most expensive, but useful for data that always needs to be available and will frequently be updated, deleted, etc.
Data stored in a Cool tier can still be accessed at any time, but the early deletion charge will come into play if data is deleted before it has been in the Cool tier for 30-days. Cool tier data is typically short-term archive or disaster recovery, and this tier costs less than the Hot tier.
Data stored in the Archive tier cannot be accessed at any time, and retrieval can take up to 14 hours before data is even available for egress. Archive tier data is typically long-term archive or compliance data that cannot be deleted for legal reasons, and this tier costs less than the Cool tier.
Storage Account Types
Each account type for Azure Storage has different properties and pricing. For the most part, you’ll use the General-purpose v2 account type, however, there are some legacy account types as well as blob and file-specific storage accounts. More details about each account type are available here.
Azure always has multiple copies of your data on hand in the event of disaster, hardware failure, outages, etc. While these redundancy techniques and tiers are out of the scope of this blog, Microsoft provides more detail here.
How to Access Azure Storage
All Azure storage offerings are protected by various authorization mechanisms that are available depending on the storage type. REST APIs, client libraries, and PowerShell are common workflows for accessing Azure Storage, although Microsoft also offers an easy-to-use UI for browsing data, upload, and download via the Azure Storage Explorer.
Let’s also review the various forms of authentication and authorization available for Azure Storage:
- Azure Active Directory (AD). For Blobs and Queues. When using the supported storage types, this is the simplest authentication/authorization method and ties directly into Azure role-based access control (RBAC). If you’re already using RBAC for various permissions in Azure, then this is the option you’ll want to go with when possible.
- Azure AD for SMB (Azure Files). For Azure Files. When using Azure Files via SMB protocol, then this is the preferred method of authorization. This can be configured either through Azure AD Domain Services or on-prem AD Domain Services. This works similarly to traditional AD authentication and authorization for on-prem SMB storage (NAS).
- Shared Key. For Blobs, Files, Queues, and Tables. This method is used with REST API requests and the Az.Storage PowerShell module. A header is passed with each request to Azure Storage that includes the shared key, which provides authorization.
- Shared Access Signatures (SAS). For Blobs, Files, Queues, and Tables. This concept and workflow are similar to Shared Key authorization, however, it allows for more granular control. Shared Access Signatures delegate access to certain resources in the account and can made temporary or revoked at any time. As a result, the storage account is better protected. This contrasts with Shared Keys, which provide more open and permanent access to the storage account.
- Anonymous Access. For Blobs. Containers or Blobs can be set to be public, which means anyone can read the data without authentication or authorization. By default, anonymous access to Azure Blob data is never permitted.
All data stored in an Azure Storage offering is automatically encrypted on upload and decrypted on retrieval. Azure handles this encryption/decryption (more details available here), but also offers methods for client-side encryption before data is sent over the wire to Azure.
Azure Storage is a powerful and flexible way to store your data in the cloud and especially useful if you’re already integrated with Microsoft’s ecosystem. If you’re still reading, then hopefully this blog was able to simplify the different options for storage types, access, security, and more.
Stealthbits Technologies is a data security software company focused on protecting an organization’s credentials and data. By removing inappropriate data access, enforcing security policy, and detecting advanced threats, we reduce security risk, fulfill compliance requirements, and decrease operations expense. Learn more by clicking here.
Dan Piazza is a Technical Product Manager at Stealthbits Technologies, responsible for File Systems and Sensitive Data in StealthAUDIT. He has worked in technical roles since 2013, with a passion for cybersecurity, data protection, data storage, and automation. He has a Bachelor’s degree from Bryant University, and outside of tech he enjoys running, tennis, and snowboarding.