Azure Administration: Implement and Manage Storage
Create and Configure Storage Account
Storage Types
Create Storage Account
# Create a resource group
New-AzureRmResourceGroup -Name 'AZ100_SA_PS' -Location 'canadacentral'
# Create a storage account
New-AzureRmStorageAccount -ResourceGroupName 'AZ100_SA_PS' -Name 'sbaz100sa' -Location 'canadacentral' -SkuName 'Standard_LRS'
# Get detail of the storage account
Get-AzureRmStorageAccount -ResourceGroupName 'AZ100_SA_PS'
Storage Access Keys
- Account keys, full access
- Store in a secured location like Azure Key Vault
- Do not share
- Always use shared access signature when possible
- Regenerate the keys regularly or when the account is compromised
- Two keys are for rolling update so application can always access the storage during the key regeneration
Shared Access Signature (SAS)
- Time limit
- Allowed permissions
- Restrict protocol
- Restrict IP range
- Two types:
- Service SAS - A file, Blob, Queue, Table
- Account SAS - any of storage service
SAS token
?sv=2019-10-10&ss=bf&srt=sco&sp=rwdlacx&se=2020-06-28T21:41:18Z&st=2020-06-28T13:41:18Z&spr=https&sig=xxxxx
Parameter | Description |
sv | storage version |
ss | allowed service i.e. blob, file |
srt | resource type i.e. service, container, object |
sp | permission i.e. read, write, delete, list, add, create |
se | expiry date |
st | start date |
spr | allowed protocol |
sig | signature signing key |
Activity Log
- Who did what and when
- a.k.a. audit logs or operational logs
- Kept for 90 days for free. Can pay to keep longer.
- Data sources:
- VMs
- Storage account
- Azure activity logs - logs from subscription
- Scope configuration (preview)
- Azure resources e.g. NSG
- System center opertations manager
- Important notes:
- Activity Log can also be found in Azure Monitor
- Operation Manager Suite (OMS) a.k.a Log Analytics will be replaced by Azure MonitorĀ
Storage Replication
- Locally redundant Storage (LRS)
- Three copies within the same data center - prevent from node failure
- Supported on GPv1, GPv2, and Blob storage
- Zone-redundant storage (ZRS)
- Synchronously replicated across three storage cluster in the same region - prevent from node failure, data center failure
- Each cluster is isolated in an availability zone
- Supported on General and GPv2
- Default replication when creating availability sets
- Geo-redundant storage (GRS)
- Six copied across two region pair - prevent from node failure, data center failure, and region-wide failure
- Read-access Geo-redundant storage (RA-GRS)
- Same as GRS but data can be read from the secondary data center without failover
- At url
youraccount-secondary.blobl.core.windows.net
- Same access key
Import and Export Data to Azure
Scenarios
- Intial backup or recovery
- Data migration to Azure
- Distribute content to other sites
- When not possible to transfer large amount of data over the internet
Data Box
- Physical storage device
- Offline data transfer:
- Data Box Disk - up to 40 TB
- Data Box - 40-500 TB
- Data Box Heavy - 500TB+
- Online data transfer:
- Data Box Gateway
- Data Box Edge
Import
- Enable BitLocker and grab the key
- Prepare using WAImportExport.exe
- Version 1 - Blob
- Version 2 - File
- Create a journal file contains
- Drive serial number
- Encryption key
- Storage account
- Recommended to use drive SN as the journal name
Import Preparation
# note the numerical password from this command
manage-bde -protectors -get E:
WAImportExport.exe PrepImport /j:journalfile.jrn /id:session002 /sk:storage_account_access_key /t:e /bk:bitlocker_numeric_password /srcdir:e:\ /dstdir:importexport/ /skipwrite
Export
- Blob only
- Ship empty drive, configure blob to export, and ship back
- Retrieve BitLocker key to unlock the drive and transfer data
Azure Blob Storage
- Unstructured data
- Files for distributed access
- Log files
- Backups
- Archives
- Data for analysis
- Access using HTTP or HTTPS
- Access level:
- Private - no anonymous, only account owner - default
- Blob - anonymous access to read the blob only
- Container - anonymous access to read the blob and container (list)
- Access policy:
- Fine-grained access control at container or blob level
- Change start and expiry date
- Modify permission
- Revoke access
Immutable Blob Storage
- Write once, read many (WORM)
- Data cannot be deleted or modified
- New container and data can still be added
- Scenarios:
- Legal hold
- Secure document retention
- Compliance
- Policy:
- Time-based retention - active from when the container is created
- Legal hold - data protected until the hold is cleared
Create Blob Container
# Define variables
$location = "canadacentral"
$resourceGroup = "AZ100_SA_PS"
$storageAccountName = "sbaz100sa"
$containerName = "az100"
# Retrieve the context
$key = (Get-AzureRmStorageAccountKey -ResourceGroupName $resourceGroup -StorageAccountName $storageAccountName)
$context = New-AzureStorageContext -StorageAccountName $storageAccountName -StorageAccountKey $key
# Create a container
New-AzureStorageContainer -Name $containerName -Context $context -Permission blob
# Upload a file
Set-AzureStorageBlobContent -File "D:\02\Image001.bmp" -Container $containerName -Blob "Image001.bmp" -Context $context
# Download a file
Get-AzureStorageBlobContent -Blob "Image001.bmp" -Container $containerName -Destination "D:\02\Downloads" -Context $context
# List files in the container
Get-AzureStorageBlob -Container $containerName -Context $context
# Delete container
Remove-AzureStorageContainer -Name $containerName -Context $context