Microsoft Azure Storage Account is a Microsoft-controlled resource/service offering cloud storage that is highly accessible, available, reliable, secure, durable, robust, scalable, and redundant. Microsoft Azure Storage Account consist of Azure Blobs (objects), Azure Data Lake Storage Gen2, Azure Files, Azure Queues, and Azure Tables. The price of your storage account depends on the usage (pay as you go, the data you keep on storage account) and the options you choose while creating and configuring Azure storage accounts. Below is the basic guide on the sizing limit guide of Storage Account taken from https://docs.microsoft.com/en-us/azure/storage/common/scalability-targets-standard-account. This is soft limit, To increase limit on Storage Account you need to contact Azure Support.
Resource | Limit |
---|---|
Number of storage accounts per region per subscription, including standard, and premium storage accounts. | 250 |
Default maximum storage account capacity | 5 PiB 1 |
Maximum number of blob containers, blobs, file shares, tables, queues, entities, or messages per storage account. | No limit |
To start creating new Storage Account, On the top in the search bar find for Storage Accounts and click on it.
Click on + Create button on the storage account list view. On the Basics tab select Subscription, Resource Group. The name must be unique across all current storage account names in Azure. It must be 3 to 24 characters long, and can include only lowercase letters and numbers. Choose the Azure region that's right for you and your customers. Not all storage account configurations are available in all regions.
Decide whether you want to have premium performance for block blobs, file shares, or page blobs in your storage account. I am choosing Standard Storage Performance for this lab.
Standard: Recommended for most circumstances (general-purpose v2 account)
Premium: Recommended for scenarios that require low latency
The data in your Azure storage account is always replicated to ensure durability and high availability. Choose a replication approach that matches your resilience requirements. Some configuration can't be changed after the storage account is created. I have selected Locally-redundant storage (LRS) as Redundancy. Below are the other options.
Locally-redundant storage (LRS): Lowest-cost option with basic protection against server rack and drive failures. Recommended for non-critical scenarios.
Geo-redundant storage (GRS): Intermediate option with failover capabilities in a secondary region. Recommended for backup scenarios.
Zone-redundant storage (ZRS): Intermediate option with protection against datacenter-level failures. Recommended for high availability scenarios.
Geo-zone-redundant storage (GZRS): Optimal data protection solution that includes the offerings of both GRS and ZRS. Recommended for critical data scenarios.
Click Next: Advanced > button.
In Create new Storage Account wizard on the Advanced tab configure Security related settings that impact Storage Account accessibility.
Require secure transfer for REST API operations: This option improves the protection of your storage account by only permitting REST API operations on the storage account using HTTPs. Any requests using HTTP will be rejected when this setting is enabled. When you are using the Azure file service, connections without encryption will fail, including scenarios using SMB 2.1, SMB 3.0 without encryption, and some flavors of the Linux SMB client. Because Azure storage doesn’t support HTTPs for custom domain names, this option is not applied when using a custom domain name. Connections via NFSv3 for blobs over TCP will succeed but will not be secured.
Enable infrastructure encryption: By default, Azure encrypts storage account data at rest. Infrastructure encryption adds a second layer of encryption to your storage account’s data.
Enable blob public access: When blob public access is enabled, one is permitted to configure container ACLs to allow anonymous access to blobs within the storage account. When disabled, no anonymous access to blobs within the storage account is permitted, regardless of underlying ACL configurations.
Enable storage account key access: When storage account key access is disabled, any requests to the account that are authorized with Shared Key, including shared access signatures (SAS), will be denied. Client applications that currently access the storage account using shared key will no longer work.
Default to Azure Active Directory authorization in Azure portal: When this property is enabled, the Azure portal authorizes requests to blobs, queues, and tables with Azure Active Directory by default.
Minimum TLS version: This option sets the minimum TLS version needed by applications using your storage account's data.
Data Lake Storage Gen2: The Data Lake Storage Gen2 hierarchical namespace accelerates big data analytics workloads and supports file-level access control lists (ACLs)
Enables the Network File System v3 Protocol for your storage account that allows users to share files across a network. This option must be set during storage account creation.
Allow cross-tenant replication: Allow object replication to copy blobs to a destination account on a different Azure Active Directory (Azure AD) tenant. Not enabling cross-tenant replication will limit object replication within the same Azure AD tenant.
Access Tier: The account access tier is the default tier that is inferred by any blob without an explicitly set tier. The hot access tier is ideal for frequently accessed data, frequently accessed data and day-to-day usage situations, and the cool access tier is ideal for infrequently retrieved data. The archive access tier can only be set at the blob level and not on the account.
Azure Files > Enable large file shares: Facilitates large file shares Offers file share support up to a maximum of 100 TiB. Large file share storage accounts do not have the ability to convert to geo-redundant storage offerings and upgrade is permanent.
Table and Queues> Enable support for customer-managed keys: When turned on, enables support for using customer-managed keys (CMKs) to encrypt your tables and queues.
All the options I have kept default, Click Next: Networking > to proceed.
In the Networking tab define connectivity method to connect to storage account in Azure cloud. You can connect to Microsoft Azure storage account with 3 connectivity methods, Public endpoint (all networks) publicly vai public IP addresses, this is default option I have kept selected, Public endpoint (selected networks) also called service endpoints and Private endpoint.
All networks will be able to access this storage account, Microsoft Azure recommends using Private endpoint for accessing this Azure Storage Account resource privately from your network.
Microsoft network routing will route your traffic to enter the Microsoft cloud as quickly as possible from its source. Internet routing will direct your traffic to enter the Microsoft cloud closer to the Azure endpoint.
Go to the next tab Data Protection by clicking button.
Data Protection is recovery option which Protect your data from accidental or erroneous mistakenly deletion or modification.
Enable point-in-time restore for containers: This option works as storage snapshot. Use point-in-time restore to restore one or more containers to an earlier state. If point-in-time restore is enabled. then versioning. change feed, blob soft delete must be enabled.
Enable soft delete for blobs: Soft delete enables you to recover blobs that were previously marked for deletion, including blobs that were overwritten. Set the number of days that a blob marked for deletion persists until it's permanently deleted (Days to retain deleted blobs).
Enable soft delete for containers: Set the number of days that a container marked for deletion persists until it's permanently deleted (Days to retain deleted containers).
Enable soft delete for file shares: Set the number of days that a file share marked for deletion persists until it's permanently deleted (Days to retain deleted file shares).
In the Tracking option manage versions and keep track of changes made to your blob data.
Enable versioning for blobs: Use versioning to automatically maintain previous versions of your blobs for recovery and restoration.
Enable blob change feed: Keep track of create, modification, and delete changes to blobs in your account.
click Next: Tags> button.
In the Tags tab which is also a way to label resources in Azure cloud, Tags are name/value (key/value) pairs which enables you to categorize resources and view consolidated billing by applying the same tag to multiple resources and resource groups. If you create tags and then change resource settings on other tabs, your tags will be automatically updated. I have added few tags and it is a always a best practices to add tags.
Click Review + Create button to proceed.
On the Review + create tab verify the setting configuration chooses and validation must be passed. Click Create button if validation passed.
Creation of Azure Storage Account will land on to deployment page which will take some time and will be completed. Click Go to resource button.
Here Storage account is created successfully and it is ready to configure.
This is the view from storage account list view.
Useful Articles
How to switch to other Azure AD tenant using PowerShell and Azure CLI
Creating a new user in Azure AD using oneliner PowerShell and Azure CLI
Connect-AzureAD: One or more errors occurred. Could not load type 'System.Security.Cryptography.SHA256Cng'
Create key vault and secrets with access policies in Microsoft Azure
Working With Azure Key Vault Using Azure PowerShell and AzureCLI
Use Key Vault secret identifier url to get the secret value using Powershell
Use a Azure VM system assigned managed identity to access Azure Key Vault
Create Azure Key Vault Certificates on Azure Portal and Powershell
Export certificates from Azure Key Vault using PowerShell