██FR█████ █INTELL███████████

Provide private storage for internal company documents


This content originally appeared on DEV Community and was authored by Samuel

Create and configure a storage account for Azure Files.

Definition of Private Storage in Azure:
Private Storage in Azure means storing your data in Azure so that only you (or your organization) can access it, not the public. It’s secure, restricted, and protected, like having a private room in a big data hotel.

Think of Azure as a huge online building (the cloud) with many rooms (storage accounts).
Private storage means your room is locked — only people you trust have the key (permissions).
Others can’t see or enter your room (data) unless you permit them.

Key Points:

  • Used to keep data safe and private
  • Access is restricted to specific users or apps Often used for business files, backups, databases, etc.
  • Managed through tools like Azure Blob Storage + private endpoints or access control In short, Private Storage in Azure = a secure data space that only you control and access.

An Azure storage account contains all of your Azure Storage data objects: blobs, files, queues, and tables. The storage account provides a unique namespace for your Azure Storage data, accessible from anywhere in the world over HTTP or HTTPS.
A storage account is an Azure Resource Manager resource. Resource Manager is the deployment and management service for Azure.
Azure Files provides fully managed file shares in the cloud, accessible via the Server Message Block (SMB) and Network File System (NFS) protocols. To use Azure Files, you first need a storage account.

In this article, I will be focusing on providing private storage for internal company documents, and I will be creating and configuring a storage account for Azure files.

The company needs storage for its offices and departments. This content is private to the company and shouldn’t be shared without consent. This storage requires high availability if there’s a regional outage. The company wants to use this storage to back up the public website storage.

Tasks

  • Create a storage account for the company’s private documents.
  • Configure redundancy for the storage account.
  • Configure a shared access signature so partners have restricted access to a file.
  • Back up the public website storage.
  • Implement lifecycle management to move content to the cool tier.

Create a storage account and configure high availability.

1. Create a storage account for the internal private company documents.

  • In the portal, search for and select Storage accounts.
    Search for storage account

  • Select + Create.
    click on plus create

  • Select the Resource group created in the previous lab.

  • Set the Storage account name to private. Add an identifier to the name to ensure the name is unique.
    select previous resource group and set storage account to private

  • Select Review, and then Create the storage account.
    create and review to validate

  • Wait for the storage account to deploy, and then select Go to resource.
    confirm the deployment and select Goto resource

2. This storage requires high availability in the event of a regional outage. Read access in the secondary region is not required. Configure the appropriate level of redundancy.

  • In the storage account, in the Data management section, select the Redundancy blade. navigate and select redundancy table
  • Ensure Geo-redundant storage (GRS) is selected.
  • Refresh the page.
  • Review the primary and secondary location information.
  • Save your changes. refresh, review, and save

Create a storage container, upload a file, and restrict access to the file.

1. Create a private storage container for the corporate data.

  • In the storage account, in the Data storage section, select the Containers blade.
  • Select + Container. Navigate container blade and add a new container
  • Ensure the Name of the container is private.
  • Ensure the Public access level is Private (no anonymous access).
  • As you have time, review the Advanced settings, but take the defaults.
  • Select Create. name the container Confirm private container created

2. For testing, upload a file to the private container. the type of file doesn’t matter. A small image or text file is a good choice. Test to ensure the file isn’t publicly accessible.

  • Select the container.
  • Select Upload.
  • Browse to files and select a file.

  • Upload the file.
    uploading file into private container

  • Select the uploaded file.

  • On the Overview tab, copy the URL.
    Copy the Url

  • Paste the URL into a new browser tab.

  • Verify the file doesn’t display, and you receive
    an error.
    public access denied, proof by error

2. An external partner requires read and write access to the file for at least the next 24 hours. Configure and test a shared access signature (SAS).

  • Select your uploaded blob file and move to the Generate SAS tab.
  • In the Permissions drop-down, ensure the partner has only Read permissions.

  • Verify that the Start and expiry date/time are for the next 24 hours.
    on the uploaded blob, set access permission period

  • Select Generate SAS token and URL.

  • Copy the Blob SAS URL to a new browser tab.
    test the SAS Url generate on a browser

  • Verify you can access the file. If you have uploaded an image file, it will display in the browser. Other file types will be downloaded.
    File uploaded was able to download

Configure storage access tiers and content replication.

1. To save on costs, after 30 days, move blobs from the hot tier to the cool tier.

  • Return to the storage account.

  • In the Overview section, notice that the Default access tier is set to Hot.
    Default access tier is set to Hot in storage overview

  • In the Data management section, select the Lifecycle management blade.

  • Select Add rule.
    Navigate through to Add rule

  • Set the Rule name to movetocool.

  • Set the Rule scope to Apply rule to all blobs in the storage account.

  • Select Next.
    set rule name and apply the rule

  • Ensure Last modified is selected.

  • Set More than (days ago) to 30.

  • In the Then drop-down, select Move to cool storage.
    set days and select move to cool

  • As you have time, review other lifecycle options in the drop-down.
    Reviewing other lifecycles

  • Add the rule.
    click Add rule

confirm lifecycle management rule successfully added.

2. The public website files need to be backed up to another storage account.

  • In your storage account, create a new container called backup. Use the default values.
    create a new container 'backup'
    confirm backup container created

  • Navigate to your publicwebsite storage account. This storage account was created in the previous exercise.

  • In the Data management section, select the Object replication blade.

  • Select Create replication rules.
    Navigate to create replication rules

  • Set the Destination storage account to the private storage account.
    set destination storage account to private

  • Set the Source container to public and the Destination container to backup.

  • Create the replication rule.
    click create

Optionally, as you have time, upload a file to the public container. Return to the private storage account and refresh the backup container. Within a few minutes, your public website file will appear in the backup folder.
View doc. uploaded in public container in private storage backup container


This content originally appeared on DEV Community and was authored by Samuel