An Azure Storage account contains different data objects that can be leveraged by various Azure resources. In this video, learn about Azure Storage accounts, in preparation for the AZ-104 exam.
- [Instructor] Prior to writing the exam, you should be very familiar and comfortable with managing storage accounts in Azure. The objectives within this domain include creating and configuring storage accounts, generating shared access signatures, managing access keys, implementing Azure storage replication, configuring Azure active directory authentication for a storage account and configuring network access to storage accounts. An Azure storage account can contain blobs storage, which is used for unstructured data. Files, used for shared cloud files or file serve to be shared on premises. Queues are used for messaging and tables for a no SQL store. For the exam, you'll need to know when and how to create a shared access signature. A shared access signature allows services to access the storage account without sharing the account keys. When you share the account keys. Anyone who has those keys also has administrative access. Microsoft recommends not sharing these keys for that reason. When we configure a shared access signature, we can set the various permissions as well as the start and expiry date for that shared access signature. Ensuring that the application or user only has access to a very specific period of time. Every storage account has access keys which are used to protect against unauthorized access. Access keys are used with authentication applications, when requesting access to that storage account. Microsoft recommends, keeping the key safe and do not share them. That's why we use the shared access signatures that we just talked about instead. Microsoft also highly recommends regenerating these keys when you're using them for your applications. Once you've regenerated the keys, the applications and resources will need to be updated with those new keys. Let's step through the process of regenerating an access key. This is a simple four step process, but it's important that you know it. Let's assume we have an application that has access to a storage account using an access key. We'll also assume that that application is currently using key one. The first thing you'll need to do is update the application to use key two. you would then go and regenerate key one. Next, update the application to use key one and then regenerate key two, using this process will ensure that the application does not lose access to the storage account. If you are preparing for the exam, you should already be very familiar with Azure storage replication. But here's a quick refresher and I've broken this down into a primary region and as secondary region for replication. We'll start with, replication within the primary region and there are two types of replication that you can choose from. Locally redundant storage, LRS. Here replication occurs within the same physical location, the same data center or there's zone-redundant storage, ZRS. This is replication over three availability zones within the primary region. Moving on to replication in a secondary region, we have geo-redundant storage GRS and this is simply replicating to another region. We also have Geo-zone-redundant storage, GZRS. When using this type of replication, the data will be replicated to three availability zones in the primary region. But then replicated to a secondary region. And our last set of replication options is replicating to a secondary region with read access. And here we have two options again, Read-Access geo-zone-redundant storage , RA-GZRS. This supports replication in the primary region and then to a secondary region with read access. And finally read-access geo-redundant storage. RA-GRS is replication to another region with read access. Finally, we'll review configuring network access to the storage account. Only traffic from allowed virtual networks can access the storage account. You'll want to set the default rule network access to deny, to only allow traffic from specific networks. In order to configure network access, the user must have joined service to a subnet permission, which you will find in the storage account contributor role. The key points from this lesson include understanding the different types of replication, knowing the different types of storage, knowing how to create a storage account, know the order in which should generate access keys and be familiar with the new firewall and virtual network services. For some hands on practice, you can create a storage account and I would recommend being known to do this in the portal as well as using power show. Change the replication to LRS, restrict network access to a storage account, create a shared access signature, and finally regenerate access keys.