storage accounts


What is Azure Storage?

Azure provides many ways to store your data. There are multiple database options like Azure SQL Server, Azure Cosmos DB, and Azure Table Storage. Azure offers multiple ways to store and send messages, such as Azure Queues and Event Hubs. You can even store loose files using services like Azure Files and Azure Blobs.

Azure selected four of these data services and placed them together under the name Azure Storage. The four services are Azure Blobs, Azure Files, Azure Queues, and Azure Tables. The following illustration shows the elements of Azure Storage.

Illustration listing the Azure data services that are part of Azure Storage.

These four were given special treatment because they are all primitive, cloud-based storage services and are often used together in the same application.

What is a storage account?

storage account is a container that groups a set of Azure Storage services together. Only data services from Azure Storage can be included in a storage account (Azure Blobs, Azure Files, Azure Queues, and Azure Tables). The following illustration shows a storage account containing several data services.

Illustration of an Azure storage account containing a mixed collection of data services.

Combining data services into a storage account lets you manage them as a group. The settings you specify when you create the account, or any that you change after creation, are applied to everything in the account. Deleting the storage account deletes all of the data stored inside it.

A storage account is an Azure resource and is included in a resource group. The following illustration shows an Azure subscription containing multiple resource groups, where each group contains one or more storage accounts.

Illustration of an Azure subscription containing multiple resource groups and storage accounts.

Other Azure data services like Azure SQL and Cosmos DB are managed as independent Azure resources and cannot be included in a storage account. The following illustration shows a typical arrangement: Blobs, Files, Queues, and Tables are inside storage accounts, while other services are not.

Illustration of an Azure subscription showing some data services that cannot be placed in a storage account.

Storage account settings

A storage account defines a policy that applies to all the storage services in the account. For example, you could specify that all the contained services will be stored in the West US datacenter, accessible only over https, and billed to the sales department’s subscription.

The settings that are controlled by a storage account are:

  • Subscription: The Azure subscription that will be billed for the services in the account.
  • Location: The datacenter that will store the services in the account.
  • Performance: Determines the data services you can have in your storage account and the type of hardware disks used to store the data. Standard allows you to have any data service (Blob, File, Queue, Table) and uses magnetic disk drives. Premium limits you to one specific type of blob called a page blob and uses solid-state drives (SSD) for storage.
  • Replication: Determines the strategy used to make copies of your data to protect against hardware failure or natural disaster. At a minimum, Azure will automatically maintain a copy of your data within the data center associated with the storage account. This is called locally-redundant storage (LRS), and guards against hardware failure but does not protect you from an event that incapacitates the entire datacenter. You can upgrade to one of the other options such as geo-redundant storage (GRS) to get replication at different datacenters across the world.
  • Access tier: Controls how quickly you will be able to access the blobs in this storage account. Hot gives quicker access than Cool, but at increased cost. This applies only to blobs, and serves as the default value for new blobs.
  • Secure transfer required: A security feature that determines the supported protocols for access. Enabled requires HTTPs, while disabled allows HTTP.
  • Virtual networks: A security feature that allows inbound access requests only from the virtual network(s) you specify.

How many storage accounts do you need?

A storage account represents a collection of settings like location, replication strategy, and subscription owner. You need one storage account for every group of settings that you want to apply to your data. The following illustration shows two storage accounts that differ in one setting; that one difference is enough to require separate storage accounts.

Illustration showing two storage accounts with different settings.

The number of storage accounts you need is typically determined by your data diversity, cost sensitivity, and tolerance for management overhead.

Data diversity

Organizations often generate data that differs in where it is consumed, how sensitive it is, which group pays the bills, etc. Diversity along any of these vectors can lead to multiple storage accounts. Let’s consider two examples:

  1. Do you have data that is specific to a country or region? If so, you might want to locate it in a data center in that country for performance or compliance reasons. You will need one storage account for each location.
  2. Do you have some data that is proprietary and some for public consumption? If so, you could enable virtual networks for the proprietary data and not for the public data. This will also require separate storage accounts.

In general, increased diversity means an increased number of storage accounts.

Cost sensitivity

A storage account by itself has no financial cost; however, the settings you choose for the account do influence the cost of services in the account. Geo-redundant storage costs more than locally-redundant storage. Premium performance and the Hot access tier increase the cost of blobs.

You can use multiple storage accounts to reduce costs. For example, you could partition your data into critical and non-critical categories. You could place your critical data into a storage account with geo-redundant storage and put your non-critical data in a different storage account with locally-redundant storage.

Advertisements

Azure Traffic Manager


Azure Load Balancer helps you achieve high availability and minimize downtime.

Although your e-commerce site is more highly available, it doesn’t solve the issue of latency or create resiliency across geographic regions.

How can you make your site, which is located in the United States, load faster for users located in Europe or Asia?

What is network latency?

A stopwatch representing latency

Latency refers to the time it takes for data to travel over the network. Latency is typically measured in milliseconds.

Compare latency to bandwidth. Bandwidth refers to the amount of data that can fit on the connection. Latency refers to the time it takes for that data to reach its destination.

Factors such as the type of connection you use and how your application is designed can affect latency. But perhaps the biggest factor is distance.

Think about your e-commerce site on Azure, which is in the East US region. It would typically take less time to transfer data to Atlanta (a distance of around 400 miles) than to transfer data to London (a distance of around 4,000 miles).

Your e-commerce site delivers standard HTML, CSS, JavaScript, and images. The network latency for many files can add up. How can you reduce latency for users located far away geographically?

Scale out to different regions

Recall that Azure provides data centers in regions across the globe.

A globe representing region scale-out

Think about the cost of building a data center. Equipment costs aren’t the only factor. You need to provide the power, cooling, and personnel to keep your systems running at each location. It might be prohibitively expensive to replicate your entire data center. But doing so with Azure can cost much less, because Azure already has the equipment and personnel in place.

One way to reduce latency is to provide exact copies of your service in more than one region. The following illustration shows an example of global deployment.

An illustration showing a world map with three Azure data centers highlighted. Each data center is labelled with a unique domain name.

The diagram shows your e-commerce site running in three Azure regions: East US, North Europe, and East Asia. Notice the DNS name for each. How can you connect users to the service that’s closest geographically, but under the contoso.com domain?

Use Traffic Manager to route users to the closest endpoint

A sign post representing Azure Traffic Manager

One answer is Azure Traffic Manager. Traffic Manager uses the DNS server that’s closest to the user to direct user traffic to a globally distributed endpoint.

The following illustration shows the role of the Traffic Manager.

An illustration showing Azure Traffic Manager routing a user request to the nearest data center.

Traffic Manager doesn’t see the traffic that’s passed between the client and server. Rather, it directs the client web browser to a preferred endpoint. Traffic Manager can route traffic in a few different ways, such as to the endpoint with the lowest latency.

Although not shown here, this setup could also include your on-premises deployment running in California. You can connect Traffic Manager to your own on-premises networks, enabling you to maintain your existing data center investments. Or you can move your application entirely to the cloud. The choice is yours.

Compare Load Balancer to Traffic Manager

A magnifying glass

Azure Load Balancer distributes traffic within the same region to make your services more highly available and resilient. Traffic Manager works at the DNS level, and directs the client to a preferred endpoint. This endpoint can be to the region that’s closest to your user.

Load Balancer and Traffic Manager both help make your services more resilient, but in slightly different ways. When Load Balancer detects an unresponsive VM, it directs traffic to other VMs in the pool. Traffic Manager monitors the health of your endpoints. In contrast, when Traffic Manager finds an unresponsive endpoint, it directs traffic to the next closest endpoint that is responsive.

Azure Load Balancer


What are availability and high availability?

A speed train representing high availability

Availability refers to how long your service is up and running without interruption. High availability, or highly available, refers to a service that’s up and running for a long period of time.

You know how frustrating it is when you can’t access the information you need. Think of a social media or news site that you visit daily. Can you always access the site, or do you often see error messages like “503 Service Unavailable”?

You may have heard terms like “five nines availability.” Five nines availability means that the service is guaranteed to be running 99.999 percent of the time. Although it’s difficult to achieve 100 percent availability, many teams strive for at least five nines.

What is resiliency?

A health chart representing resiliency

Resiliency refers to a system’s ability to stay operational during abnormal conditions.

These conditions include:

  • Natural disasters.
  • System maintenance, both planned and unplanned, including software updates and security patches.
  • Spikes in traffic to your site.
  • Threats made by malicious parties, such as distributed denial of service, or DDoS, attacks.

Imagine your marketing team wants to have a flash sale to promote a new line of vitamin supplements. You might expect a huge spike in traffic during this time. This spike could overwhelm your processing system, causing it to slow down or halt, disappointing your users. You may have experienced this disappointment for yourself. Have you ever tried to access an online sale only to find the website wasn’t responding?

What is a load balancer?

A scale representing load balancing

load balancer distributes traffic evenly among each system in a pool. A load balancer can help you achieve both high availability and resiliency.

Say you start by adding additional VMs, each configured identically, to each tier. The idea is to have additional systems ready, in case one goes down or is serving too many users at the same time.

The problem here is that each VM would have its own IP address. Plus, you don’t have a way to distribute traffic in case one system goes down or is busy. How do you connect your VMs so that they appear to the user as one system?

The answer is to use a load balancer to distribute traffic. The load balancer becomes the entry point to the user. The user doesn’t know (or need to know) which system the load balancer chooses to receive the request.

The following illustration shows the role of a load balancer.

An illustration showing the web tier of a three-tier architecture. The web tier has multiple virtual machines to service user requests. There is a load balancer that distributes user requests among the virtual machines.

You see that the load balancer receives the user’s request. The load balancer directs the request to one of the VMs in the web tier. If a VM is unavailable or stops responding, the load balancer stops sending traffic to it. The load balancer then directs traffic to one of the responsive servers.

Load balancing enables you to run maintenance tasks without interrupting service. For example, you can stagger the maintenance window for each VM. During the maintenance window, the load balancer detects that the VM is unresponsive, and directs traffic to other VMs in the pool.

For your e-commerce site, the app and data tiers can also have a load balancer. It all depends on what your service requires.

What is Azure Load Balancer?

Azure Load Balancer is a load balancer service that Microsoft provides that helps take care of the maintenance for you.

When you manually configure typical load balancer software on a virtual machine, there’s a downside: you now have an additional system that you need to maintain. If your load balancer goes down or needs routine maintenance, you’re back to your original problem.

If instead, however, you use Azure Load Balancer, there’s no infrastructure or software for you to maintain.

The following illustration shows the role of Azure load balancers in a multi-tier architecture.

An illustration showing the web tier of a three-tier architecture. The web tier has multiple virtual machines to service user requests. There is a load balancer that distributes user requests among the virtual machines.

Azure virtual network?


What’s a virtual network?

virtual network is a logically isolated network on Azure. Azure virtual networks will be familiar to you if you’ve set up networks on Hyper-V, VMware, or even on other public clouds.

The web, application, and data tiers each have a single VM. Each VM belongs to a virtual network.

Users interact with the web tier directly, so that VM has a public IP address. Users don’t interact with the application or data tiers. So these VMs each have a private IP address.

Azure data centers manage the physical hardware for you. You configure virtual networks through software, which enables you to treat a virtual network just like your own network. For example, you can divide a virtual network into subnets to better control how the network assigns IP addresses. You also choose which other networks your virtual network can reach, whether that’s the public internet or other networks in the private IP address space.

Two virtual machines with a shared network security group

What’s a network security group?

network security group, or NSG, allows or denies inbound network traffic to your Azure resources. Think of a network security group as a cloud-level firewall for your network.

For example, notice that the VM in the web tier allows inbound traffic on ports 22 (SSH) and 80 (HTTP). This VM’s network security group allows inbound traffic over these ports from all sources. You can configure a network security group to accept traffic only from known sources, such as IP addresses that you trust.

Azure storage


Azure Blob storage

Azure Blob storage lets you stream large video or audio files directly to the user’s browser from anywhere in the world. Blob storage is also used to store data for backup and restore, disaster recovery, and archiving. It has the ability to store up to 8 TB of data for virtual machines. The following illustration shows an example usage of Azure blob storage.

An illustration showing Azure blob storage used to store and stream video or audio files.

Azure Data Lake Storage Gen2

Azure Data Lake Storage Gen2

The Data Lake feature allows you to perform analytics on your data usage and prepare reports. Data Lake is a large repository that stores both structured and unstructured data.

Azure Data Lake Storage Gen2 combines the scalability and cost benefits of object storage with the reliability and performance of the Big Data file system capabilities. The following illustration shows how Azure Data Lake stores all your business data and makes it available for analysis.

An illustration showing the role of Azure Data Lake in preparing and storing your data for use by analysis tools. Azure Data Lake can handle a variety of input types such as relational, video, or sensor data.

Azure Files

Azure Files

Azure Files offers fully managed file shares in the cloud. Applications running in Azure can easily share files between VMs. You can use Azure file shares at the same time for cloud or on-premises deployments of Windows, Linux, and macOS. The following illustration shows Azure Files being used to share data between two geographical locations. Azure Files uses the Server Message Block (SMB) protocol which ensures the data is encrypted at rest and in transit.

An illustration showing the file sharing capabilities of Azure Files.

Azure Queue

Azure Queue

Azure Queue storage is a service for storing large numbers of messages that can be accessed from anywhere in the world. To put it in perspective, a single queue message is up to 64 KB in size, and a queue can contain millions of messages.

Typically, there are one or more sender components and one or more receiver components. Sender components add message to the queue, while receiver components retrieve messages from the front of the queue for processing. The following illustration shows multiple sender applications adding messages to the Azure Queue and one receiver application retrieving the messages.

An illustration showing a high-level architecture of Azure Queue storage

You can use queue storage to:

  • Create a backlog of work and to pass messages between different Azure web servers.
  • Distribute load among different web servers/infrastructure and to manage bursts of traffic.
  • Build resilience against component failure when multiple users access your data at the same time.

Azure Standard Storage

Azure Standard Storage

Virtual machines in Azure use disks to store operating systems, applications, and data. Azure Standard Storage delivers reliable, low-cost disk support for VMs running workloads that are not mission critical. With Standard Storage, the data is stored on hard disk drives (HDDs).

When working with VMs, you can use standard SSD and HDD disks for less critical workloads, and premium SSD disks for mission-critical production applications. Azure Disks have consistently delivered enterprise-grade durability, with an industry-leading ZERO% annualized failure rate. The following illustration shows an Azure virtual machine using separate disks to store different data.

An illustration showing two disks inside a virtual machine, one that stores the operating system and one that stores data.

Storage tiers

Storage tiers

Azure offers three storage tiers for blob object storage:

  1. Hot storage tier: optimized for storing data that is accessed frequently.
  2. Cool storage tier: optimized for data that is infrequently accessed and stored for at least 30 days.
  3. Archive storage tier: for data that is rarely accessed and stored for at least 180 days with flexible latency requirements.

Encryption and replication

Encryption and replication

Azure provides security and high availability to your data through encryption and replication features.

Encryption for storage services

The following encryption types are available for your resources:

  1. Azure Storage Service Encryption (SSE) for data at rest helps you secure your data to meet the organization’s security and regulatory compliance. It encrypts the data before storing it and decrypts the data before retrieving it. The encryption and decryption are transparent to the user.
  2. Client-side encryption is where the data is already encrypted by the client libraries. Azure stores the data in the encrypted state at rest, which is then decrypted during retrieval.

Replication for storage availability

A replication type is set up when you create a storage account. The replication feature ensures that your data is durable and always available. Azure provides regional and geographic replications to protect your data against natural disasters and other local disasters like fire or flooding.

The following illustration shows differences between on-premise storage and Azure data storage.

An illustration showing comparison between on-premises storage and Azure data storage for several common business needs.

Azure portal layout


The Azure portal is the primary graphical user interface (GUI) for controlling Microsoft Azure. You can carry out the majority of management actions in the portal, and it is typically the best interface for carrying out single tasks or where you want to look at the configuration options in detail.

The Azure portal

The resources and favorites

Resource Panel

In the left-hand sidebar of the portal is the resource pane, which lists the main resource types. Note that Azure has more resource types than just those shown. The resources listed are part of your favorites.

You can customize this with the specific resource types you tend to create or administer most often.

You can also collapse this pane; with the << caret. This will minimize it to just icons which can be convenient if you are working with limited screen real-estate.

The remainder of the portal view is for the specific elements you are working with. The default (main) page is the dashboard. We’ll cover this a bit later, but this represents a customizable birds-eye-view of your resources. You can use it to jump into specific resources you want to manage, or search for resources with the All resources entry in the resource panel. When you are managing a resource, such as a virtual machine or a web app, you will work with a blade that presents specific information about the resource.

What is a blade?

The Azure portal uses a blades model for navigation. A blade is a slide-out panel containing the UI for a single level in a navigation sequence. For example, each of these elements in this sequence would be represented by a blade: Virtual machines > Compute > Ubuntu Server.

Each blade contains some information and configurable options. Some of these options generate another blade, which reveals itself to the right of any existing blade. On the new blade, any further configurable options will spawn another blade, and so on. Pretty soon, you can end up with several blades open at the same time. You can maximize blades as well so that they fill the entire screen.

Since new blades are always added to the right of the owner, you can use the scrollbar at the bottom of the window to go backwards to see how you got to this spot in the configuration. Alternatively, you can close blades individually by clicking the X button in the top corner of the blade. If you have unsaved changes, Azure will prompt you to let you know that the changes will be lost if you continue.

Configuring settings in the Azure portal

The Azure portal displays several configuration options, mostly in the status bar at the top-right of the screen.

Notifications

Clicking the bell icon displays the Notifications pane. This pane lists the last actions that have been carried out, along with their status.

Cloud Shell

If you click the Cloud Shell icon (>_), you will create a new Azure Cloud Shell session. Azure Cloud Shell is an interactive, browser-accessible shell for managing Azure resources. It provides the flexibility of choosing the shell experience that best suits the way you work. Linux users can opt for a Bash experience, while Windows users can opt for PowerShell. This browser-based terminal lets you control and administer all of your Azure resources in the current subscription through a command-line interface built right into the portal.

Settings

Click the gear icon to change the Azure portal settings. These settings include:

  • Logout time
  • Color and contrast themes
  • Toast notifications (to a mobile device)
  • Language and regional format

Portal settings

When you have changed settings, click Apply to accept your changes.

Feedback blade

The smiley face icon opens the Send us feedback blade. Here you can send feedback to Microsoft about Azure. Note that you can specify whether Microsoft can respond to your feedback by email.

Help blade

Click the question mark icon to show the Help blade. Here you choose from several options, including:

  • What’s new
  • Azure roadmap
  • Launch guided tour
  • Keyboard shortcuts
  • Show diagnostics
  • Privacy + terms

Directory and subscription

Click the Book and Filter icon to show the Directory + subscription blade.

Azure allows you to have more than one subscription associated with one directory. On the Directory + subscriptionblade, you can change between subscriptions. Here, you can change your subscription or change to another directory.

Directory

Profile settings

If you click on your name in the top right-hand corner, a menu opens with a few options:

  • Sign in with another account, or sign out entirely
  • View your account profile, where you can change your password
  • Check your permissions
  • View your bill (click the “…” button on the right-hand side)
  • Update your contact information (click the “…” button on the right-hand side)

If you click “…” and then View my bill, Azure takes you to the Cost Management + Billing – Invoices page, which helps you analyze where Azure is generating costs.

Azure is a large product, and the Azure portal user interface (UI) reflects this. The sliding blade approach allows you to navigate back and forth through the various administration tasks with ease. Let’s experiment a bit with this UI so you get some practice.

Azure account options


What is an Azure account?

An Azure account is tied to a specific identity and holds information like:

  • Name, email, and contact preferences
  • Billing information such as a credit card

An Azure account is what you use to log in to the Azure portal or the Azure CLI. Every Azure account is associated with one or more subscriptions.

What is an Azure subscription?

An Azure subscription is a logical container used to provision resources in Microsoft Azure. It holds the details of all your resources like virtual machines, databases, etc.

Billing occurs at the subscription level — one bill is generated for every Azure subscription on a monthly basis. You can set spending limits on each subscription to ensure you aren’t surprised at the end of the month.

What is an Azure AD tenant?

Azure AD (Azure Active Directory) is a modern identity provider that supports multiple authentication protocols to secure applications and services in the cloud. It’s not the same as Windows Active Directory, which is focused on securing Windows desktops and servers. Instead, Azure AD is all about web-based authentication standards such as OpenID and OAuth.

Users, applications and other entities registered in Azure AD aren’t all lumped into a single global service. Instead, Azure AD is partitioned into separate tenants. A tenant is a dedicated, isolated instance of the Azure Active Directory service, owned and managed by an organization.

When it comes to Azure AD tenants, there is no concrete definition of “organization” — tenants can be owned by individuals, teams, companies, or any other group of people. Tenants are commonly associated with companies. If you sign up for Azure with an email address that’s not associated with an existing tenant, the sign-up process will walk you through creating your own tenant, owned entirely by you.

Note

The email address you use to sign in to Azure can be associated with more than one tenant. You might see this if you have your own Azure account and you use Microsoft Learn’s Azure sandbox to complete exercises. In the Azure portal, you can only view resources belonging to one tenant at a time. To switch the tenant you’re viewing resources for select the Book and filter icon at the top of the portal and choose a different tenant in the Switch directorysection.

Azure AD tenants and subscriptions have a many-to-one trust relationship: A tenant can be associated with multiple Azure subscriptions, but every subscription is associated with only one tenant. This structure allows organizations to manage multiple subscriptions and set security rules across all the resources contained within them.

Here’s a simple representation of accounts, subscriptions, tenants, and resources.

Diagram of how accounts, tenants, subscriptions, and resources work together

Notice that each Azure AD tenant has an account owner. This is the original Azure account that is responsible for billing. You can add additional users to the tenant, and even invite guests from other Azure AD tenants to access resources in subscriptions.

Azure account types

Azure has several account types that cater to different customer types. The most commonly used accounts are:

  • Free
  • Pay-As-You-Go
  • Enterprise Agreement

Azure free account

An Azure free account includes a $200 credit to spend for the first 30 days, free access to the most popular Azure products for 12 months, and access to more than 25 products that are always free. This is an excellent way for new users to get started. To set up a free account, you need a phone number, a credit card, and a Microsoft account.

Note

Credit card information is used for identity verification only. You won’t be charged for any services until you upgrade.

Azure Pay-As-You-Go account

A Pay-As-You-Go (PAYG) account bills you monthly for the services you used. This account type is appropriate for a wide range of users, from individuals to small businesses and many large organizations as well.

Azure Enterprise Agreement

An Enterprise Agreement provides flexibility to buy cloud services and software licenses under one agreement, with discounts for new licenses and Software Assurance. It is targeted at enterprise-scale organizations.

Summary

Whether you are an individual, a small business, or an enterprise, you need an account to use Azure services. The typical sequence is to start with a free account so that you can evaluate Azure services. When your trial period expires, you will convert from the free account to Pay-As-You-Go.

%d bloggers like this: