This is the second part of the two-part blog series around everything that you need to know about Azure Storage. In the first part, we looked at what Azure Storage is, And what are the different services that are part of Azure Storage. In this blog, we will focus on Replication, Encryption, Cost, Access Control and Types of Storage Accounts.
Let’s start with Storage Accounts. Storage Accounts provide you with a unique namespace in the cloud to store and access your data objects in Azure Storage. Storage Accounts can contain any blob, file, and queue that you create under that account. There are three types of Storage Accounts that you can create in Azure:
- General-Purpose Standard: This type of Storage Accounts can contain all types of Storage services. Blobs, Files, and Queues, and also all types of Blobs (Block, Append and Page). When you create a General Purpose Standard Storage Account, you are basically storing your data on HDDs.
- General-Purpose Premium: This type of Storage Account is highly recommended for storing Page Blobs. Since General Purpose Premium accounts are backed by SSDs, they offer higher performance for your virtual hard drives that are part of the Page Blobs.
- Blob Storage Account: This is a specialized type of Storage Account that can be used to store Block Blobs and Append Blobs. The main differentiation that these have is that you can create storage tiers under this account. You can have a hot tier and a cold tier defined, but keep in mind that you will pay more to store and less to access data from the hot tier, but pay less to store and more to access data from the cold tier. You can change the tier at any point, but there is a cost associated with that. So design your tiers and assign storage to this account accordingly.
Next, let’s talk about Access control for the storage services. One thing to keep in mind is that each storage account has two authentication keys at any time, and any one of those keys can be used to access all the data that is part of the storage account, so you need to make sure that you don’t share these keys with anyone, or put them on a public website. You can use the following two ways to make sure that you keep your data safe.
- Azure AD: Using Azure AD, you can assign roles to users, groups or applications. This Role Bases Access Control (RBAC) is really limited in terms of features. You can only assign roles that allow or block access to the management capabilities to your storage account. You cannot, however, restrict access to your storage containers using RBAC. Another thing that you can do using RBAC is to restrict which users have access to the authentication keys that can be used to access all your data.
- Shared Access Signatures: You can use a combination of Shared Access Signatures (SAS) and stored policies to secure your data. SAS is a string that contains a security token that can be attached to the URI of your data object which allows you to delegate access to specific storage objects and to specify constraints such as permissions and date/time range of access.
Next, let’s talk about Encryption. As Werner Vogels, the CTO for Amazon said: “Dance like nobody is watching, Encrypt like everyone is!!”. In today’s IT environment, this is something that everybody should remember. With so many data breaches happening, you need to make sure that your data is always encrypted. Microsoft supports the following two types of Encryption methods:
- Encryption at Rest: Azure Storage Service Encryption (SSE) for Data at Rest helps you protect your data. Encryption at Rest is enabled by default for all the data that is stored in Azure. All your data is encrypted before persisting on the disk and it is decrypted before retrieval. Both these operations are completely transparent to the user, and you don’t have to worry about updating your application code to include this. SSE uses 256-bit AES encryption for all the data that is stored in Azure Storage.
- Client Side Encryption: The storage client libraries have methods that you can call to programmatically encrypt your data before sending it across the wire from client to Azure. Once you retrieve your data, you will have to decrypt it after you have received it. This is not as seamless as you would want. But, this is the only way you can get end-to-end encryption. Because Microsoft only supports encryption at rest and not in transit, you have to make sure that you encrypt your data before putting it on the wire.
Next, we will talk about Replication. This is the penultimate thing that I want to talk about, so keep going. To make sure that your data is always available, Microsoft keeps multiple copies of your data in their datacenter. You select one of the following Replication schemes when you create a new Storage Account:
- Locally-Redundant Storage (LRS): This is designed to provide 11 X 9s durability for your objects over a period of one year. LRS means that your data is replicated and copies of your data are stored over different fault and update domains, making sure that you don’t lose your data when a disk failure happens. The data is synchronously copied and a write is only acknowledged to your application, once it is written to all the drives.
- Zone-Redundant Storage (ZRS): This is one level up as compared to LRS. With LRS, all the copies of your data are stored in different update and fault domains in the same datacenter, but, with ZRS, copies of your data are synchronously stored across multiple availability zones in an Azure region. By doing this, Microsoft is able to offer 12 X 9s durability for your stored objects over a period of one year. ZRS used to have asynchronous copies a while back. That feature is now referred to as ZRS-Classic. In ZRS-Classic, you had to wait for Microsoft to initiate a failure of an availability zone for you to access your replica.
- Geo-Redundant Storage (GRS): GRS is designed for 16 X 9s durability, and Microsoft is able to achieve that by storing copies of your data across two different Azure Regions. So even if there is a natural disaster and an Azure Region goes down, you would still have a copy of your data available.
- Read-Access Geo-Redundant Storage (RA GRS): With GRS, only the primary copy of your data is readable, but in the case of RA GRS even the secondary copy of your data is readable, you can point your application to the secondary copy for read-only operations. And since it is based upon GRS, it offers the same 16 X 9s durability for your stored objects over the span of one year.
Finally, we want to look at the cost of using these storage services. Instead of talking about what things to consider when calculating the pricing, like the amount of storage, the type of storage, etc, I thought it would be great to just point you to the Azure Storage Pricing Landing page, where you can find exact up-to-date costs of all the Azure Storage Services.
That’s it! You made it all the way to the end. I hope this series helped you understand the different aspects of Azure Storage. Please leave a comment and let me know if you have any questions.