This chapter will teach you everything about storing data in Azure, starting from absolute basics. We’ll explain what storage actually is, why different types exist, and how to choose and use them effectively.
Storage = Where you save your data permanentlyWhen you write a document, take a photo, or save data from an app, it needs to be stored SOMEWHERE. That “somewhere” is storage.Key Difference from Memory (RAM):
Memory (RAM): Temporary. Lost when computer turns off. Fast.
Storage (Disk): Permanent. Survives computer restart. Slower than RAM.
Analogy:
RAM = Your desk (work in progress, cleared at end of day)
Storage = Your filing cabinet (permanent records, survives overnight)
Every application needs to store data:Example 1: Blog Website
What needs storage:- Blog posts (text, titles, dates)- Images you upload- User comments- User profile pictures- Website code itselfWithout storage: Every time you restart the website, everything is GONE.
Example 2: E-Commerce Site
What needs storage:- Product catalog (names, prices, descriptions)- Product images- Customer orders- User accounts- Payment history- Inventory levelsWithout storage: You'd lose all customer orders every time server restarts!
Problems:1. Upfront cost ($500-2000 per drive)2. Limited capacity (once full, must buy more drives)3. No redundancy (drive fails = data lost)4. Your responsibility: - Physical security (theft, fire) - Backups (manual, time-consuming) - Hardware failures (drive breaks, you replace it)
Real Example:
Company stores customer data- Buy 10 hard drives ($10,000)- Store in office closet- Fire destroys building- ALL DATA LOST- Company goes bankruptThis happened thousands of times before cloud storage.
1. No upfront cost (pay per GB per month)2. Unlimited capacity (need more? Just use more)3. Built-in redundancy (Azure keeps 3+ copies automatically)4. Microsoft's responsibility: - Physical security (datacenters with guards) - Hardware maintenance (replace failed drives) - Automatic backups (built-in)5. Global availability (access from anywhere)
Cost Comparison:
Traditional (1 TB storage):- Buy 2 TB hard drive: $100- Backup drive: $100- Total upfront: $200- Risk: Still lose data if both drives failAzure (1 TB storage):- $18-50/month depending on tier- $216-600/year- Zero upfront cost- Microsoft keeps 3-6 copies automatically- Risk: Virtually zero (99.999999999% durability)For most businesses: Azure is cheaper AND safer
The Core Principle: “Different Data, Different Needs”
Analogy: Your Home StorageYou don’t store everything the same way at home:
Important documents → Fireproof safe
Books → Bookshelf
Clothes → Closet on hangers
Photos → Photo album or digital cloud
Food → Refrigerator or pantry
Why different storage? Because they have different:
Access patterns (how often you need them)
Size (books vs documents)
Value (important documents vs old magazines)
Azure Storage Works the Same Way:
Different Types of Data:1. Large Files (images, videos, backups) → Use: Blob Storage → Why: Optimized for large objects2. Shared Files (documents, configs) → Use: Azure Files → Why: Can mount like a network drive3. VM Hard Drives → Use: Managed Disks → Why: High performance, attached to VMs4. Application Messages (job queues) → Use: Queue Storage → Why: Reliable message passing5. Structured Data (user profiles, logs) → Use: Table Storage or Databases → Why: Query and search capabilities
Photo Sharing App Architecture:1. User Photos (original uploads) Storage: Blob Storage Why: Large files (images), need to serve billions Tier: Hot (frequently viewed) Cost: $18/month per TB2. Thumbnails (small preview images) Storage: Blob Storage Why: Millions of small files Tier: Hot (shown on every page) Cost: $18/month per TB3. Old Photos (not viewed in 6 months) Storage: Blob Storage Why: Same as original, but moved to cheaper tier Tier: Archive (rarely accessed) Cost: $1/month per TB (18x cheaper!)4. Application Code & Static Files Storage: Blob Storage Why: HTML, CSS, JavaScript files Tier: Hot Size: Usually <1 GB5. User Metadata (username, email, likes) Storage: Azure SQL Database or Cosmos DB Why: Need to query (find user by email) Note: NOT just storage, this is a database6. Background Job Queue (resize images) Storage: Queue Storage Why: Reliable message passing between servers Cost: $0.0004 per 10K operations (basically free)Total Storage Cost Breakdown:- 100 TB original photos: $1,800/month- 10 TB thumbnails: $180/month- 500 TB archived photos: $500/month- App code: $0.18/month (tiny)- Queue: ~$1/monthTotal: ~$2,481/month for massive scale app
Question 1: What kind of data?├─ Large files (images, videos, documents)│ └─> Blob Storage│├─ Need to mount as drive (like Z: or /mnt)│ └─> Azure Files│├─ VM hard drive│ └─> Managed Disks│├─ Application messages/jobs│ └─> Queue Storage│└─ Structured data with queries └─> Table Storage or DatabaseQuestion 2: How often accessed?├─ Constantly (website images)│ └─> Hot Tier ($18/TB/month)│├─ Sometimes (monthly reports)│ └─> Cool Tier ($10/TB/month)│└─ Rarely (old backups, compliance) └─> Archive Tier ($1/TB/month)Question 3: How important is the data?├─ Critical (lose it = business ends)│ └─> GRS or GZRS (6 copies, multiple regions)│├─ Important (lose it = bad, but recoverable)│ └─> ZRS (3 copies, 3 availability zones)│└─ Okay to lose (dev/test, temporary) └─> LRS (3 copies, same datacenter)
Before diving into specific services, let’s define essential terms:Blob (Binary Large Object)
Just a fancy name for “file.” Any file—image, video, document, zip file, anything—is a “blob” in Azure.Why the weird name? Historical computer science term. Just think “blob = file.”
Container
A folder that holds blobs. Like a folder on your computer.Example: Container named “profile-pictures” contains all user profile picture blobs.
Storage Account
The top-level resource that contains all your storage (blobs, files, queues, tables).Analogy: Like your “Documents” folder that contains many subfolders.
Access Tier
How “hot” or “cold” your data is (how often it’s accessed). Hotter = more expensive storage, cheaper access. Colder = cheaper storage, more expensive access.Analogy: Storing winter clothes in the attic (archive) vs. keeping everyday clothes in your closet (hot).
Replication
How many copies Azure keeps and where.LRS: 3 copies in one building
ZRS: 3 copies in 3 buildings (same city)
GRS: 3 copies here + 3 copies 1000+ miles away
Redundancy vs. Backup
Redundancy: Multiple copies to prevent hardware failure (automatic)
Backup: Point-in-time copies to prevent human error (you configure)Example: Delete a file by accident
Redundancy: Doesn’t help (all copies deleted)
Backup: Can restore from yesterday’s backup
[!WARNING]
Gotcha: Changing Access Tiers
Moving data from Hot to Cool is free, but moving data from Cool to Hot incurs an “Early Deletion” or “Retrieval” fee. Don’t use Archive tier for backups you might need to restore instantly—it can take hours to “rehydrate” data.
[!TIP]
Jargon Alert: ReplicationLRS (Locally Redundant): 3 copies in one building (Good enough for non-critical dev).
GRS (Geo-Redundant): 3 copies here + 3 copies in a different region (Essential for Disaster Recovery).
The CAP Theorem in Storage: Consistency vs. Availability
When choosing a replication strategy, you are making a fundamental architectural choice.
Local (LRS/ZRS): Provides CP (Consistency + Partition Tolerance). Because the 3 copies are written synchronously, you are guaranteed to read the latest data, but if all 3 zones go down, the storage is unavailable.
Global (GRS/GZRS): Provides AP (Availability + Partition Tolerance) across regions.
The primary region is updated synchronously (3 copies).
The secondary region (1000+ miles away) is updated asynchronously.
The Trade-off: In a “failover” scenario to the secondary region, you might lose the last few seconds/minutes of data. This is called RPO (Recovery Point Objective).
[!IMPORTANT]
Pro Tip: RA-GRS (Read-Access GRS)
Standard GRS is “Passive”—you can’t touch the secondary region unless a failover occurs. RA-GRS gives you a read-only endpoint in the secondary region at all times. Use this to handle traffic spikes by offloading read-requests to the other side of the world!
A “Stamp” is a cluster of roughly 10-20 racks of storage servers. Each rack has its own power and network.
When you create a storage account, it is assigned to a Stamp.
LRS (Local Replication) ensures your data is written to three different disks on three different racks within that single stamp. Even if a whole rack’s power supply fails, your data is safe.
Azure doesn’t just store files as names. It uses a Partition Key system.
Every blob belongs to a partition.
Azure’s Front-End Layer looks at the requested blob name, determines which Partition Server owns it, and routes the request there.
Pro Tip: If you name your blobs with a sequential prefix (like 2024-01-01-log1, 2024-01-01-log2), they might all end up on the same Partition Server, causing a “Hot Partition” bottleneck. Using a random prefix or hash helps distribute the load across the entire stamp.
The ACK: Your app only receives a “Success” message when the data is safely written to the physical disks of all 3 replicas. This is why Azure Storage is Strongly Consistent.
Use cases:- Documents (PDF, Word, Excel)- Media (images, audio, video)- Logs and telemetry- BackupsCharacteristics:- Up to 190.7 TB per blob- Composed of blocks (up to 4.75 TB each)- Can update individual blocks- Most common blob type (95% of use cases)
Use cases:- Azure VM disks (VHD files)- Database files- Random access scenariosCharacteristics:- Up to 8 TB per blob- Optimized for frequent read/write- 512-byte page alignment- Higher cost than block blobs
Most users never directly use page blobs (Azure manages them for VM disks).
Optimized for append operations
Use cases:- Logging and auditing- Time-series data- IoT telemetryCharacteristics:- Up to 195 GB per blob- Append-only (no update/delete of blocks)- Efficient for log aggregation
# Enable versioningaz storage account blob-service-properties update \ --account-name mystorageaccount \ --enable-versioning true# Every modification creates new version# Old versions accessible by version ID# Protects against accidental overwrites
Use case: Track document changes, audit trail
Soft Delete
Recoverable deletion
# Enable soft delete (7 days)az storage account blob-service-properties update \ --account-name mystorageaccount \ --enable-delete-retention true \ --delete-retention-days 7# Deleted blobs retained for 7 days# Can undelete within retention period
# Use managed identity or user identity# RBAC roles: Storage Blob Data Reader/Contributoraz role assignment create \ --role "Storage Blob Data Contributor" \ --assignee <identity-id> \ --scope /subscriptions/.../storageAccounts/mystorageaccount
Encryption at Rest:
Default: Microsoft-managed keys (automatic) ✅ No configuration needed ✅ Free ❌ Microsoft controls keysCustomer-managed keys (CMK): ✅ You control key rotation ✅ Audit key access ⚠️ Requires Azure Key Vault
Performance: Up to 60 MB/s throughput, 1,000 IOPSPricing: $0.06/GB/monthMinimum: NoneUse for: General-purpose file shares, dev/test
Performance: Up to 10,000 IOPS, 200 MB/s per TB provisionedPricing: $0.20/GB/month (provisioned, not consumed)Minimum: 100 GBUse for: High-performance, low-latency workloads
# Get storage account key$storageKey = (az storage account keys list ` --account-name mystorageaccount ` --query "[0].value" -o tsv)# Mount file sharenet use Z: \\mystorageaccount.file.core.windows.net\myshare ` /user:AZURE\mystorageaccount $storageKey# Persistent mount (survives reboot)cmdkey /add:mystorageaccount.file.core.windows.net ` /user:AZURE\mystorageaccount /pass:$storageKey# Add to Windows startup
# Install cifs-utilssudo apt-get install cifs-utils# Create mount pointsudo mkdir /mnt/myshare# Create credentials filesudo bash -c 'echo "username=mystorageaccount" >> /etc/smbcredentials'sudo bash -c 'echo "password=STORAGE_KEY" >> /etc/smbcredentials'sudo chmod 600 /etc/smbcredentials# Mount sharesudo mount -t cifs //mystorageaccount.file.core.windows.net/myshare /mnt/myshare -o credentials=/etc/smbcredentials,dir_mode=0777,file_mode=0777# Add to /etc/fstab for persistent mount//mystorageaccount.file.core.windows.net/myshare /mnt/myshare cifs credentials=/etc/smbcredentials,dir_mode=0777,file_mode=0777 0 0
❌ Bad (hotspot on same partition):/images/2024/01/01/image1.jpg/images/2024/01/01/image2.jpg/images/2024/01/01/image3.jpg✅ Good (distributed across partitions):/ab/images/2024/01/01/image1.jpg/cd/images/2024/01/01/image2.jpg/ef/images/2024/01/01/image3.jpgUse first 2 characters of hash as prefix
3. Parallel Uploads
from azure.storage.blob import BlobServiceClientblob_service = BlobServiceClient(account_url="...", credential="...")blob_client = blob_service.get_blob_client("mycontainer", "largefile.zip")# Upload in parallel (default: 4 MB chunks)with open("largefile.zip", "rb") as data: blob_client.upload_blob( data, max_concurrency=10, # 10 parallel uploads overwrite=True )# 10x faster for large files
4. Use Appropriate Tier
Hot Tier: Frequently accessed (< 30 days)Cool Tier: Infrequently accessed (30-90 days)Archive Tier: Rarely accessed (180+ days)Example:- Website images: Hot- 60-day backup: Cool- 1-year compliance archive: ArchiveSavings: Up to 98% for Archive vs Hot
Backup Strategy for 100 GB database:1. Daily Backups (7 days): - Store in Cool tier - Cost: 7 × 100 GB × $0.01 = $7/month2. Weekly Backups (4 weeks): - Store in Cool tier - Cost: 4 × 100 GB × $0.01 = $4/month3. Monthly Backups (12 months): - Store in Archive tier - Cost: 12 × 100 GB × $0.001 = $1.20/monthTotal: $12.20/month (vs $43 if all Hot)Lifecycle Policy:- Daily: Cool immediately- After 30 days: Move to Archive- After 365 days: DeleteIncremental Backups:- Only changed data backed up daily- Reduces storage by 80-90%- Final cost: ~$2-3/month
Q4: Optimize storage for a media streaming app
Architecture:1. Video Storage: - Original files: Archive tier (rarely accessed) - Transcoded versions: Hot tier (frequently streamed) - Use CDN (Azure Front Door) for global distribution2. Thumbnail Storage: - Hot tier (displayed on every page) - Small files, high access frequency - CDN caching (90%+ cache hit rate)3. User Uploads: - Start in Hot tier (recently uploaded, often viewed) - After 30 days: Move to Cool (older content) - After 180 days: Move to Archive (historical)4. CDN Configuration: - Cache thumbnails: 7 days - Cache videos: 1 day (balance freshness and cost) - Purge cache on content update5. Performance: - Parallel video chunk uploads (10 concurrent) - Adaptive bitrate streaming (HLS/DASH) - Geo-replication (LRS → GRS for critical content)Cost Savings:- Without optimization: $5,000/month- With optimization: $1,200/month (76% reduction)Optimizations:- Lifecycle policies: $2,000 savings- CDN (reduced blob reads): $1,500 savings- Incremental backups: $300 savings
Q5: Implement global data replication with conflict resolution
Global Replication Strategy:1. Use GRS (Geo-Redundant Storage): - Primary: East US - Secondary: West US (read-only) - Automatic failover on regional outage2. Or use multi-region architecture: - Storage accounts in each region - Azure Traffic Manager routes to closest - Application-level replication3. Conflict Resolution: Option A: Last Write Wins (LWW) - Use blob versioning - Latest timestamp wins - Simple, may lose data Option B: Application-Level Merge - Store conflict versions separately - Manual resolution - Complex, but no data loss4. Implementation: ```python from azure.storage.blob import BlobServiceClient # Primary storage primary = BlobServiceClient(account_url="https://storage-eastus...") secondary = BlobServiceClient(account_url="https://storage-westus...") def upload_with_replication(blob_name, data): # Upload to primary primary_blob = primary.get_blob_client("mycontainer", blob_name) primary_blob.upload_blob(data, overwrite=True) # Replicate to secondary secondary_blob = secondary.get_blob_client("mycontainer", blob_name) secondary_blob.upload_blob(data, overwrite=True) # Or use change feed for async replication ```5. Monitoring: - Alert on replication lag > 15 minutes - Monitor blob change feed - Test failover monthly
Q6: Secure storage with zero-trust architecture
Zero-Trust Storage Security:1. Network Isolation: - Disable public access entirely - Use Private Endpoints only - Traffic never leaves Azure backbone2. Identity-Based Access: - No shared keys (disable storage account keys) - Azure AD authentication only - RBAC with least privilege - Managed identities for applications3. Encryption: - Customer-managed keys (Azure Key Vault) - Key rotation every 90 days - Separate keys per container4. Data Protection: - Blob versioning enabled - Soft delete (30 days) - Immutable storage (WORM compliance) - Legal hold for litigation5. Monitoring: - Storage Analytics logs → Log Analytics - Alert on: - Anonymous access attempts - Failed authentication - Key access from Key Vault - Blob deletion6. Implementation: ```bash # 1. Disable public access az storage account update \ --name mystorageaccount \ --public-network-access Disabled # 2. Create private endpoint az network private-endpoint create \ --name pe-storage \ --vnet-name vnet-prod \ --subnet snet-data \ --private-connection-resource-id /subscriptions/.../storageAccounts/mystorageaccount \ --group-ids blob # 3. Disable shared key access az storage account update \ --name mystorageaccount \ --allow-shared-key-access false # 4. Enable customer-managed keys az storage account update \ --name mystorageaccount \ --encryption-key-source Microsoft.Keyvault \ --encryption-key-vault https://myvault.vault.azure.net \ --encryption-key-name storage-key # 5. Enable versioning and soft delete az storage account blob-service-properties update \ --account-name mystorageaccount \ --enable-versioning true \ --enable-delete-retention true \ --delete-retention-days 30 # 6. Configure immutable storage (WORM) az storage container immutability-policy create \ --account-name mystorageaccount \ --container-name compliance \ --period 2555 # 7 years in days ```
This is the #1 support ticket. If your app can’t access a blob:
Client IP: Is your Storage Account Firewall blocking the code’s IP? Check if you have a Private Endpoint but the code is trying to use the Public Endpoint.
SAS Token Expiry: If using SAS tokens, check the clock! Is the system time on your server out of sync with Azure?
RBAC Propagation: Did you just grant the “Storage Blob Data Contributor” role? RBAC changes can take up to 10 minutes to propagate.
Storage Limit: Standard accounts have a limit of 5 PB. If you hit this, you need a second account.
Egress Limits: Standard accounts are limited to roughly 50 Gbps of outbound traffic. If you are serving massive videos to millions of users, you must use a Content Delivery Network (CDN) to offload the traffic.
[!TIP]
Pro Tool: Storage Explorer
Don’t rely solely on the Azure Portal. Use Azure Storage Explorer (desktop app). It provides much better visibility into hidden metadata, lease statuses, and large-scale migrations.
