AZ-104 Objective 2.2: Configure and Manage Storage Accounts

32 min readMicrosoft Azure Administrator

AZ-104 Exam Focus: This objective covers Azure Storage account creation, configuration, and management. Understanding storage account types, redundancy options, object replication, encryption, and data management tools is crucial for Azure administrators. Master these concepts for both exam success and real-world Azure Storage management.

Understanding Azure Storage Accounts

Azure Storage accounts provide a unique namespace for your Azure Storage data that is accessible from anywhere in the world over HTTP or HTTPS. All objects in a storage account are billed together as a group and share the same access control settings. Once you've created storage accounts, you'll want to learn about configuring access to storage to secure these accounts properly.

Storage Account Components:

  • Blob Storage: Object storage for unstructured data
  • File Storage: Managed file shares for cloud or on-premises deployments
  • Queue Storage: Messaging store for reliable messaging between application components
  • Table Storage: NoSQL store for structured data
  • Disk Storage: Managed and unmanaged disks for virtual machines

Create and Configure Storage Accounts

Storage Account Types

Azure offers different types of storage accounts to meet various performance, security, and cost requirements.

Storage Account Types

General-purpose v2 (Standard):
  • Performance: Standard performance tier
  • Access Tiers: Hot, Cool, Archive
  • Services: Blob, File, Queue, Table
  • Use Case: Most common storage account type
  • Cost: Most cost-effective option
General-purpose v2 (Premium):
  • Performance: Premium performance tier
  • Access Tiers: Hot tier only
  • Services: Blob, File (limited)
  • Use Case: High-performance scenarios
  • Cost: Higher cost for better performance
Block Blob Storage:
  • Performance: Premium performance
  • Services: Block blobs only
  • Use Case: High-transaction workloads
  • Cost: Optimized for block blob operations
File Storage:
  • Performance: Premium performance
  • Services: File shares only
  • Use Case: High-performance file shares
  • Cost: Optimized for file operations

Creating Storage Accounts

Azure Portal Method

Step-by-Step Process:
  1. Navigate to Storage Accounts: Go to Azure Portal → Storage accounts
  2. Create Storage Account: Click "Create" → "Storage account"
  3. Basic Configuration:
    • Subscription: Select subscription
    • Resource Group: Create new or select existing
    • Storage Account Name: Globally unique name (3-24 characters)
    • Region: Select deployment region
    • Performance: Standard or Premium
    • Redundancy: LRS, GRS, RAGRS, ZRS, GZRS, RAGZRS
  4. Advanced Configuration:
    • Security: Enable/disable public access
    • Networking: Configure network access
    • Data Protection: Enable soft delete and versioning
    • Encryption: Configure encryption options
  5. Review and Create: Review settings and create storage account

PowerShell Method

Storage Account Creation Commands:
# Connect to Azure
Connect-AzAccount

# Create resource group
New-AzResourceGroup -Name "MyStorageRG" -Location "East US"

# Create standard general-purpose v2 storage account
New-AzStorageAccount -ResourceGroupName "MyStorageRG" -Name "mystorageaccount" -Location "East US" -SkuName "Standard_LRS" -Kind "StorageV2"

# Create premium general-purpose v2 storage account
New-AzStorageAccount -ResourceGroupName "MyStorageRG" -Name "mypremiumstorage" -Location "East US" -SkuName "Premium_LRS" -Kind "StorageV2"

# Create block blob storage account
New-AzStorageAccount -ResourceGroupName "MyStorageRG" -Name "myblockblobstorage" -Location "East US" -SkuName "Premium_LRS" -Kind "BlockBlobStorage"

# Create file storage account
New-AzStorageAccount -ResourceGroupName "MyStorageRG" -Name "myfilestorage" -Location "East US" -SkuName "Premium_LRS" -Kind "FileStorage"

# Get storage account details
Get-AzStorageAccount -ResourceGroupName "MyStorageRG" -Name "mystorageaccount"

# Update storage account properties
Set-AzStorageAccount -ResourceGroupName "MyStorageRG" -Name "mystorageaccount" -AccessTier "Cool"

Azure CLI Method

Azure CLI Commands:
# Login to Azure
az login

# Create resource group
az group create --name MyStorageRG --location "East US"

# Create standard general-purpose v2 storage account
az storage account create --name mystorageaccount --resource-group MyStorageRG --location "East US" --sku Standard_LRS --kind StorageV2

# Create premium general-purpose v2 storage account
az storage account create --name mypremiumstorage --resource-group MyStorageRG --location "East US" --sku Premium_LRS --kind StorageV2

# Create block blob storage account
az storage account create --name myblockblobstorage --resource-group MyStorageRG --location "East US" --sku Premium_LRS --kind BlockBlobStorage

# Create file storage account
az storage account create --name myfilestorage --resource-group MyStorageRG --location "East US" --sku Premium_LRS --kind FileStorage

# Get storage account details
az storage account show --name mystorageaccount --resource-group MyStorageRG

# Update storage account properties
az storage account update --name mystorageaccount --resource-group MyStorageRG --access-tier Cool

Storage Account Configuration

Access Tiers

Blob Access Tiers:
  • Hot Tier: Optimized for frequent access, higher storage cost, lower access cost
  • Cool Tier: Optimized for infrequent access, lower storage cost, higher access cost
  • Archive Tier: Optimized for long-term retention, lowest storage cost, highest access cost
Access Tier Configuration:
  • Account Level: Set default access tier for new blobs
  • Blob Level: Override account tier for individual blobs
  • Lifecycle Management: Automatic tier transitions

Configure Azure Storage Redundancy

Understanding Storage Redundancy

Azure Storage redundancy ensures your data is durable and highly available by storing multiple copies of your data across different locations and storage nodes.

Redundancy Options

Locally Redundant Storage (LRS):
  • Replication: 3 copies within single datacenter
  • Durability: 99.999999999% (11 9's)
  • Availability: 99.9%
  • Cost: Lowest cost option
  • Use Case: Development, testing, non-critical data
Zone-Redundant Storage (ZRS):
  • Replication: 3 copies across 3 availability zones
  • Durability: 99.999999999% (11 9's)
  • Availability: 99.9%
  • Cost: Higher than LRS
  • Use Case: Production workloads requiring zone-level protection
Geo-Redundant Storage (GRS):
  • Replication: 3 copies in primary region + 3 copies in secondary region
  • Durability: 99.999999999999% (16 9's)
  • Availability: 99.9%
  • Cost: Higher than LRS/ZRS
  • Use Case: Production workloads requiring geographic protection
Read-Access Geo-Redundant Storage (RAGRS):
  • Replication: Same as GRS + read access to secondary region
  • Durability: 99.999999999999% (16 9's)
  • Availability: 99.99%
  • Cost: Highest cost option
  • Use Case: Global applications requiring read access to secondary region

Configuring Storage Redundancy

PowerShell Method

Redundancy Configuration Commands:
# Create storage account with LRS
New-AzStorageAccount -ResourceGroupName "MyStorageRG" -Name "mylrsstorage" -Location "East US" -SkuName "Standard_LRS"

# Create storage account with ZRS
New-AzStorageAccount -ResourceGroupName "MyStorageRG" -Name "myzrsstorage" -Location "East US" -SkuName "Standard_ZRS"

# Create storage account with GRS
New-AzStorageAccount -ResourceGroupName "MyStorageRG" -Name "mygrsstorage" -Location "East US" -SkuName "Standard_GRS"

# Create storage account with RAGRS
New-AzStorageAccount -ResourceGroupName "MyStorageRG" -Name "myragrsstorage" -Location "East US" -SkuName "Standard_RAGRS"

# Change redundancy type (requires account recreation)
# Note: Changing redundancy type requires recreating the storage account
# This is a destructive operation

# Get current redundancy configuration
$storageAccount = Get-AzStorageAccount -ResourceGroupName "MyStorageRG" -Name "mystorageaccount"
$storageAccount.Sku.Name

Azure CLI Method

Azure CLI Commands:
# Create storage account with LRS
az storage account create --name mylrsstorage --resource-group MyStorageRG --location "East US" --sku Standard_LRS

# Create storage account with ZRS
az storage account create --name myzrsstorage --resource-group MyStorageRG --location "East US" --sku Standard_ZRS

# Create storage account with GRS
az storage account create --name mygrsstorage --resource-group MyStorageRG --location "East US" --sku Standard_GRS

# Create storage account with RAGRS
az storage account create --name myragrsstorage --resource-group MyStorageRG --location "East US" --sku Standard_RAGRS

# Get current redundancy configuration
az storage account show --name mystorageaccount --resource-group MyStorageRG --query "sku.name"

Configure Object Replication

Understanding Object Replication

Object replication asynchronously copies block blobs from a source storage account to a destination storage account. This is useful for disaster recovery, data distribution, and compliance requirements.

Object Replication Requirements

Prerequisites:
  • Source Account: Must have versioning enabled
  • Destination Account: Must have versioning enabled
  • Blob Change Feed: Must be enabled on source account
  • Permissions: Appropriate permissions on both accounts
  • Network Access: Network connectivity between accounts

Configuring Object Replication

Azure Portal Method

Step-by-Step Process:
  1. Enable Versioning: Enable versioning on both source and destination accounts
  2. Enable Change Feed: Enable change feed on source account
  3. Navigate to Object Replication: Go to source account → Data management → Object replication
  4. Create Replication Policy: Click "Create replication policy"
  5. Configure Source: Select source account and containers
  6. Configure Destination: Select destination account and containers
  7. Set Rules: Configure replication rules and filters
  8. Create Policy: Create and activate the replication policy

PowerShell Method

Object Replication Commands:
# Enable versioning on source account
$sourceAccount = Get-AzStorageAccount -ResourceGroupName "SourceRG" -Name "sourcestorage"
$sourceAccount | Set-AzStorageAccount -EnableVersioning $true

# Enable versioning on destination account
$destAccount = Get-AzStorageAccount -ResourceGroupName "DestRG" -Name "deststorage"
$destAccount | Set-AzStorageAccount -EnableVersioning $true

# Enable change feed on source account
$sourceAccount | Set-AzStorageAccount -EnableChangeFeed $true

# Create replication policy
$replicationPolicy = @{
    SourceAccount = $sourceAccount.StorageAccountName
    DestinationAccount = $destAccount.StorageAccountName
    SourceContainer = "sourcecontainer"
    DestinationContainer = "destcontainer"
    RuleId = "replication-rule-1"
}

# Note: Object replication policy creation requires specific cmdlets
# This is a simplified example - actual implementation may vary

# Get replication status
Get-AzStorageObjectReplicationPolicy -ResourceGroupName "SourceRG" -AccountName "sourcestorage"

Configure Storage Account Encryption

Understanding Storage Encryption

Azure Storage encryption provides encryption at rest for all data stored in your storage account. This includes blobs, files, queues, and tables.

Encryption Types

Microsoft Managed Keys:
  • Key Management: Microsoft manages encryption keys
  • Key Rotation: Automatic key rotation
  • Cost: No additional cost
  • Use Case: Default encryption option
Customer Managed Keys:
  • Key Management: Customer manages encryption keys
  • Key Rotation: Customer controls key rotation
  • Cost: Additional cost for key management
  • Use Case: Compliance and security requirements
Customer Provided Keys:
  • Key Management: Customer provides keys for each request
  • Key Rotation: Customer controls per-request
  • Cost: No additional cost
  • Use Case: Maximum control over encryption

Configuring Storage Encryption

PowerShell Method

Encryption Configuration Commands:
# Enable encryption with Microsoft managed keys (default)
$storageAccount = Get-AzStorageAccount -ResourceGroupName "MyStorageRG" -Name "mystorageaccount"
$storageAccount | Set-AzStorageAccount -EncryptionKeyTypeForBlob "Account" -EncryptionKeyTypeForFile "Account"

# Configure customer managed keys
# First, create a key vault and key
$keyVault = New-AzKeyVault -VaultName "MyKeyVault" -ResourceGroupName "MyStorageRG" -Location "East US"
$key = Add-AzKeyVaultKey -VaultName "MyKeyVault" -Name "MyStorageKey" -Destination "Software"

# Configure storage account to use customer managed key
$storageAccount | Set-AzStorageAccount -EncryptionKeyTypeForBlob "Account" -EncryptionKeyTypeForFile "Account" -KeyVaultUri $keyVault.VaultUri -KeyName $key.Name -KeyVersion $key.Version

# Enable infrastructure encryption (double encryption)
$storageAccount | Set-AzStorageAccount -RequireInfrastructureEncryption $true

# Get encryption configuration
$storageAccount.Encryption

Azure CLI Method

Azure CLI Commands:
# Enable encryption with Microsoft managed keys (default)
az storage account update --name mystorageaccount --resource-group MyStorageRG --encryption-key-type-for-blob Account --encryption-key-type-for-file Account

# Configure customer managed keys
# First, create a key vault and key
az keyvault create --name MyKeyVault --resource-group MyStorageRG --location "East US"
az keyvault key create --vault-name MyKeyVault --name MyStorageKey --protection software

# Configure storage account to use customer managed key
az storage account update --name mystorageaccount --resource-group MyStorageRG --encryption-key-type-for-blob Account --encryption-key-type-for-file Account --key-vault-uri "https://MyKeyVault.vault.azure.net/" --key-name MyStorageKey

# Enable infrastructure encryption
az storage account update --name mystorageaccount --resource-group MyStorageRG --require-infrastructure-encryption true

# Get encryption configuration
az storage account show --name mystorageaccount --resource-group MyStorageRG --query "encryption"

Manage Data by Using Azure Storage Explorer and AzCopy

Azure Storage Explorer

Azure Storage Explorer is a standalone app that makes it easy to work with Azure Storage data on Windows, macOS, and Linux.

Storage Explorer Features

Key Features:
  • Multi-Account Support: Connect to multiple storage accounts
  • Cross-Platform: Windows, macOS, and Linux support
  • Visual Interface: Easy-to-use graphical interface
  • File Operations: Upload, download, copy, move, delete files
  • Blob Management: Manage containers, blobs, and snapshots
  • File Share Management: Manage file shares and directories
  • Queue Management: View and manage queue messages
  • Table Management: View and edit table data

AzCopy

AzCopy is a command-line utility that you can use to copy blobs or files to or from a storage account.

AzCopy Features

Key Features:
  • High Performance: Optimized for large data transfers
  • Resume Support: Resume interrupted transfers
  • Parallel Transfers: Multiple concurrent transfers
  • Cross-Platform: Windows, macOS, and Linux support
  • Flexible Authentication: SAS tokens, access keys, Azure AD
  • Filtering: Include/exclude patterns for files
  • Logging: Detailed transfer logs

AzCopy Usage Examples

Basic AzCopy Commands

Common Operations:
# Login to Azure (for Azure AD authentication)
azcopy login

# Copy files to blob storage
azcopy copy "C:localpath" "https://mystorageaccount.blob.core.windows.net/container" --recursive

# Copy blobs between storage accounts
azcopy copy "https://sourceaccount.blob.core.windows.net/container" "https://destaccount.blob.core.windows.net/container" --recursive

# Copy with SAS token
azcopy copy "C:localpath" "https://mystorageaccount.blob.core.windows.net/container?sv=2020-08-04&ss=b&srt=sco&sp=rwdlacupx&se=2024-12-31T23:59:59Z&st=2024-01-01T00:00:00Z&spr=https&sig=..." --recursive

# Copy with specific access tier
azcopy copy "C:localpath" "https://mystorageaccount.blob.core.windows.net/container" --recursive --block-blob-tier=Hot

# Copy with metadata
azcopy copy "C:localpath" "https://mystorageaccount.blob.core.windows.net/container" --recursive --metadata "key1=value1;key2=value2"

# Copy with filtering
azcopy copy "C:localpath" "https://mystorageaccount.blob.core.windows.net/container" --recursive --include-pattern "*.jpg;*.png"

# Copy with resume support
azcopy copy "C:localpath" "https://mystorageaccount.blob.core.windows.net/container" --recursive --resume

# Copy with parallel transfers
azcopy copy "C:localpath" "https://mystorageaccount.blob.core.windows.net/container" --recursive --parallel-count 16

# Copy with logging
azcopy copy "C:localpath" "https://mystorageaccount.blob.core.windows.net/container" --recursive --log-level INFO

Advanced AzCopy Operations

Advanced Commands:
# Sync directories (one-way sync)
azcopy sync "C:localpath" "https://mystorageaccount.blob.core.windows.net/container" --recursive

# Copy with checksum verification
azcopy copy "C:localpath" "https://mystorageaccount.blob.core.windows.net/container" --recursive --check-md5 LogOnly

# Copy with bandwidth throttling
azcopy copy "C:localpath" "https://mystorageaccount.blob.core.windows.net/container" --recursive --cap-mbps 10

# Copy with retry configuration
azcopy copy "C:localpath" "https://mystorageaccount.blob.core.windows.net/container" --recursive --retry-count 5 --retry-delay 10s

# Copy with job management
azcopy jobs list
azcopy jobs show <job-id>
azcopy jobs cancel <job-id>
azcopy jobs resume <job-id>

# Copy with dry run (preview)
azcopy copy "C:localpath" "https://mystorageaccount.blob.core.windows.net/container" --recursive --dry-run

# Copy with progress display
azcopy copy "C:localpath" "https://mystorageaccount.blob.core.windows.net/container" --recursive --progress

Advanced Storage Management Scenarios

Scenario 1: Disaster Recovery Setup

Situation: Organization needs to set up disaster recovery for critical data stored in Azure Storage.

Solution: Configure GRS or RAGRS redundancy, set up object replication, implement lifecycle management policies, and establish backup procedures using AzCopy.

Scenario 2: Data Migration

Situation: Organization needs to migrate large amounts of data from on-premises to Azure Storage.

Solution: Use AzCopy for high-performance transfers, implement parallel transfers, set up resume capabilities, and monitor transfer progress.

Scenario 3: Compliance and Security

Situation: Organization needs to meet regulatory compliance requirements for data encryption and retention.

Solution: Implement customer managed keys, enable infrastructure encryption, configure lifecycle management, and set up audit logging.

Storage Account Best Practices

Design Best Practices

✅ Recommended Practices:
  • Naming Convention: Use consistent naming for storage accounts
  • Resource Group Organization: Group related storage accounts
  • Access Tier Planning: Plan access tiers based on data usage patterns
  • Redundancy Selection: Choose appropriate redundancy based on requirements
  • Encryption Strategy: Implement appropriate encryption for data sensitivity
  • Network Security: Configure firewalls and VNet access
  • Monitoring: Set up monitoring and alerting

Performance Optimization

Performance Tips:
  • Premium Storage: Use premium storage for high-performance workloads
  • Parallel Transfers: Use parallel transfers for large data operations
  • CDN Integration: Use Azure CDN for frequently accessed content
  • Compression: Enable compression for text-based data
  • Batch Operations: Use batch operations for multiple file operations
  • Connection Pooling: Reuse connections when possible

Monitoring and Troubleshooting

Storage Account Monitoring

Key Metrics to Monitor:
  • Availability: Storage account availability percentage
  • Capacity: Storage account capacity usage
  • Transactions: Number of storage transactions
  • Egress: Data egress volume
  • Ingress: Data ingress volume
  • Success Rate: Successful request percentage
  • Average Latency: Average request latency

Common Issues and Solutions

⚠️ Common Problems:
  • Storage Account Name Conflicts: Ensure globally unique names
  • Access Tier Issues: Verify access tier configuration
  • Redundancy Configuration: Check redundancy settings
  • Encryption Problems: Verify encryption configuration
  • Network Access Issues: Check firewall and VNet settings
  • Performance Issues: Monitor metrics and optimize configuration
  • Data Transfer Failures: Check network connectivity and permissions

Exam Preparation Tips

Key Concepts to Remember

  • Storage Account Types: General-purpose v2, Block Blob, File Storage
  • Redundancy Options: LRS, ZRS, GRS, RAGRS, GZRS, RAGZRS
  • Access Tiers: Hot, Cool, Archive tiers and use cases
  • Object Replication: Requirements and configuration
  • Encryption Types: Microsoft managed, customer managed, customer provided
  • Data Management Tools: Storage Explorer and AzCopy features
  • Performance Considerations: Premium vs standard storage

Practice Questions

Sample Exam Questions:

  1. What is the difference between LRS and GRS redundancy?
  2. How do you create a storage account with PowerShell?
  3. What are the requirements for object replication?
  4. How do you configure customer managed keys for encryption?
  5. What is the difference between Hot and Cool access tiers?
  6. How do you use AzCopy to copy files to blob storage?
  7. What are the benefits of using premium storage?
  8. How do you enable versioning on a storage account?
  9. What is the purpose of Azure Storage Explorer?
  10. How do you configure infrastructure encryption?

AZ-104 Success Tip: Azure Storage account management is fundamental to cloud data management. Focus on understanding storage account types, redundancy options, access tiers, and encryption methods. Practice with PowerShell and Azure CLI commands for storage account operations, and understand how to use AzCopy and Storage Explorer for data management. Pay attention to the differences between various redundancy options and when to use each access tier for cost optimization.

Related Topics

Continue your Azure administration learning journey with these related topics:

Previous: Objective 2.1 Configure Access To Storage

Next: Objective 2.3 Configure Azure Files Blob Storage