Azure Administration: Implement and Manage Storage

Create and Configure Storage Account

Storage Types

  • Azure File
    • Shared folder
    • Access using net use or SMB protocol
  • Azure Blob
    • Unstructured data
    • Streaming support
    • Used for VM disks (VHD) up to 4TB
  • Azure Queue - out of scope
    • Stores messages up to millions
    • Access via HTTP or HTTPS
    • Asynchronous processing
  • Azure Table - out of scope
    • Structured No-SQL (key attribute store)
    • CosmosDB is premium replacement
  • Azure Data Lake Storage Gen2 - out of scope
    • Store as object and file system at the same time
    • Analytic workloads

Create Storage Account

# Create a resource group
New-AzureRmResourceGroup -Name 'AZ100_SA_PS' -Location 'canadacentral'

# Create a storage account
New-AzureRmStorageAccount -ResourceGroupName 'AZ100_SA_PS' -Name 'sbaz100sa' -Location 'canadacentral' -SkuName 'Standard_LRS'

# Get detail of the storage account 
Get-AzureRmStorageAccount -ResourceGroupName 'AZ100_SA_PS'

Storage Access Keys

  • Account keys, full access
  • Store in a secured location like Azure Key Vault
  • Do not share
  • Always use shared access signature when possible
  • Regenerate the keys regularly or when the account is compromised
    • Two keys are for rolling update so application can always access the storage during the key regeneration

Shared Access Signature (SAS)

  • Time limit
  • Allowed permissions
  • Restrict protocol
  • Restrict IP range
  • Two types:
    • Service SAS - A file, Blob, Queue, Table
    • Account SAS - any of storage service

SAS token

?sv=2019-10-10&ss=bf&srt=sco&sp=rwdlacx&se=2020-06-28T21:41:18Z&st=2020-06-28T13:41:18Z&spr=https&sig=xxxxx

Parameter Description
sv storage version
ss allowed service i.e. blob, file
srt resource type i.e. service, container, object
sp permission i.e. read, write, delete, list, add, create
se expiry date
st start date
spr allowed protocol
sig signature signing key

Activity Log

  • Who did what and when
  • a.k.a. audit logs or operational logs
  • Kept for 90 days for free. Can pay to keep longer.
  • Data sources:
    • VMs
    • Storage account
    • Azure activity logs - logs from subscription
    • Scope configuration (preview)
    • Azure resources e.g. NSG
    • System center opertations manager
  • Important notes:
    • Activity Log can also be found in Azure Monitor
    • Operation Manager Suite (OMS) a.k.a Log Analytics will be replaced by Azure MonitorĀ 

Storage Replication

  • Locally redundant Storage (LRS)
    • Three copies within the same data center - prevent from node failure
    • Supported on GPv1, GPv2, and Blob storage
  • Zone-redundant storage (ZRS)
    • Synchronously replicated across three storage cluster in the same region - prevent from node failure, data center failure
    • Each cluster is isolated in an availability zone
    • Supported on General and GPv2
    • Default replication when creating availability sets
  • Geo-redundant storage (GRS)
    • Six copied across two region pair - prevent from node failure, data center failure, and region-wide failure
  • Read-access Geo-redundant storage (RA-GRS)
    • Same as GRS but data can be read from the secondary data center without failover
    • At url youraccount-secondary.blobl.core.windows.net
    • Same access key

Import and Export Data to Azure

Scenarios

  • Intial backup or recovery
  • Data migration to Azure
  • Distribute content to other sites
  • When not possible to transfer large amount of data over the internet

Data Box

  • Physical storage device
  • Offline data transfer:
    • Data Box Disk - up to 40 TB
    • Data Box - 40-500 TB
    • Data Box Heavy - 500TB+
  • Online data transfer:
    • Data Box Gateway
    • Data Box Edge

Import

  • Enable BitLocker and grab the key
  • Prepare using WAImportExport.exe
    • Version 1 - Blob
    • Version 2 - File
  • Create a journal file contains
    • Drive serial number
    • Encryption key
    • Storage account
  • Recommended to use drive SN as the journal name

Import Preparation

# note the numerical password from this command
manage-bde -protectors -get E:
WAImportExport.exe PrepImport /j:journalfile.jrn /id:session002 /sk:storage_account_access_key /t:e /bk:bitlocker_numeric_password /srcdir:e:\ /dstdir:importexport/ /skipwrite

Export

  • Blob only
  • Ship empty drive, configure blob to export, and ship back
  • Retrieve BitLocker key to unlock the drive and transfer data

Azure Blob Storage

  • Unstructured data
    • Files for distributed access
    • Log files
    • Backups
    • Archives
    • Data for analysis
  • Access using HTTP or HTTPS

image-1593422406218.png

  • Access level:
    • Private - no anonymous, only account owner - default
    • Blob - anonymous access to read the blob only
    • Container - anonymous access to read the blob and container (list)
  • Access policy:
    • Fine-grained access control at container or blob level
    • Change start and expiry date
    • Modify permission
    • Revoke access

Immutable Blob Storage

  • Write once, read many (WORM)
  • Data cannot be deleted or modified
  • New container and data can still be added
  • Scenarios:
    • Legal hold
    • Secure document retention
    • Compliance
  • Policy:
    • Time-based retention - active from when the container is created
    • Legal hold - data protected until the hold is cleared

Create Blob Container

# Define variables
$location = "canadacentral"
$resourceGroup = "AZ100_SA_PS"
$storageAccountName = "sbaz100sa"
$containerName = "az100"

# Retrieve the context
$key = (Get-AzureRmStorageAccountKey -ResourceGroupName $resourceGroup -StorageAccountName $storageAccountName)
$context = New-AzureStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $key

# Create a container
New-AzureStorageContainer -Name $containerName -Context $context -Permission blob

# Upload a file
Set-AzureStorageBlobContent -File "D:\02\Image001.bmp" -Container $containerName -Blob "Image001.bmp" -Context $context

# Download a file
Get-AzureStorageBlobContent -Blob "Image001.bmp" -Container $containerName -Destination "D:\02\Downloads" -Context $context

# List files in the container
Get-AzureStorageBlob -Container $containerName -Context $context

# Delete container
Remove-AzureStorageContainer -Name $containerName -Context $context