Azure Storage

• Storage Account is globally unique name and supports four types:
  • Blob container: object store
    • Anonymous(global) Permissions: Private (no access), Blob (only if the exact URL is known), Container(scan to find out object URLs)
    • Supports VHD
  • Table: key-value store, cheaper than DBMS, but not transactional
  • Queue: messaging
  • File: SMB network share
    • ROT: use for sharing data between applications running on different VMs, but not for 1 application that scales out to different servers
  • Data Lake Storage Gen2: store files and objects. ideal for analytical workloads
• Immutable Blobs can't be deleted or modified. Good for legal or compliance
  • Time-based retention: container creation time is used instead of when the policy was applied
  • Legal Hold: Data is deleted after the hold is cleared
• Access can be restricted to specific VNet
• Encryption types:
  1. Storage Service Encryption (SSE) is transparent to the user
  2. Client-side Encryption handled by the client library
• Managed disks are placed in different storage fault-domains
• File share: smb 3.0 protocol, supports on-prem or VM mounting
• Storage Sync service: syncs contents at least once in 24hr,
  • Sync group: consists of one cloud endpoint and one or more server endpoints
    • cloud tiering: only hot files are cached
  • for on-prem, TCP 445 port must be open
• blobs types: Block blob (entire blob is a unit of IO), Page blob (eg. .vhd files), Append blob (binary logs)
• storage accounts are flat within containers, folders within them are virtual

Storage Access

• Access keys: key1 and key2, act as master signing keys
• Shared Access Signatures SAS:
  • allow access to storage, signed by access keys
  • Two types: Service SAS (access to one storage service), Account SAS
  • conditional access using: duration, ip, storage type (blob, table, file etc), access level (RO, RW, create etc)
• RBAC using IAM: Assign an AD user using one of the Storage roles

Storage Account attributes

• Performance:
  • Standard: HDD
  • Premium: SSD (supported by VMs only)
• Account Kind:
  • Storage (General Purpose v1): can support tables, queues, files or container (blob), slightly cheaper reads than v2
  • StorageV2 (General Purpose v2): like v1, but offers more options like redundancy
  • Blob: supports only object store (this can be public by default)
• Storage replication:
  • Locally-redundant storage LRS: 3 Copies. Tolerate Node failure (11 9's)
  • Geo Redundant Storage GRS: 6 copies, data copied to secondary region, Tolerate Node, Data Center (DC) failures
    • Each region is paired with another region
  • Read Access Geo Redundant Storage RA-GRS: Like GRS, a secondary endpoint to read data without failover process
  • Zone-redundant storage ZRS: data replicated to 3 storage clusters in different AZ, tolerates Node and DC failures
    • not available for blobs
    • available only through powershell(udemy video 55?)
  • Geo-zone-redundant storage GZRS (16 9's)
    • pay for the bandwidth to transfer data between Geos
  • Read-access geo-zone-redundant storage RA-GZRS
• Access Tier:
  • Hot: default, active data
  • Cool: min 30 days
  • Archive: min 180 days
• Can be restricted to allow access only from a specific Virtual Network, and/or subnet, and/or IP
  • still need the access key
  • other virtual networks can still be peered to allow access
  • can be changed after creation

Import/Export

• Offline using Azure Data Box: for moving large amount of data
  • Data Box Disk: up to 40 TB
  • Data Box: up to 500 TB
  • Data Box Heavy: over 500 TB
• online: Data Box Gateway and Data Box Edge
• WAImportExport.exe:
  • Import: v1 for blobs, v2 for files, Export: only Blobs can be exported
  • Tool needs BitLocker key: use window command manage-bde -protectors -get E:
  • Creates a Journal file that must be uploaded into a Azure Import/Export job

Content Delivery Network CDN

• Providers: Premium Verizon, Standard Verizon, Akamai, Microsoft
  • large files and media delivery via general web are supported only by Microsoft and Verizon
  • TTL: 7 days default or as specified on HTTP header

Recovery Service Vaults

• Backup config: Geo-Redundant or Locally-Redundant, can't be changed once set up
• Backup policies: VM, File Share, SQL Server in VM
• VM Recovery options: Create new VM, Replace disks, overwrite disks

Diagnostics Logs

• Tenant logs for recording activity outside Azure subscription (requires an agent)
• Resource logs resource activity with a subscription
• Windows VM logs:
  • Performance counters: CPU, Memory, Disk, Network etc
  • Logs: levels: Critical/Error/Warning etc for System or Application, Security Audits
  • Crash Dumps: on application failure
  • Sinks: Send the logs to an application
  • Agent: Customize the agent by using Storage account, disk quota and Severity level,
• Available via Resource or Azure Monitor

Disks

• OS: contains OS as C:, max 2TB
• Temporary: Pagefile.sys or other temporary file as D: or /dev/sdb and mounted as /mnt
  • Data may not be retained
• Data disk: Max 4TB
  • Managed disks
    • Premium SSD
    • Standard SSD
    • Standard HDD
    • Ultra SSD (preview)
  • Unmanaged disks
    • Legacy, only HDD, can't exceed 20000 IOPS for the entire storage account
• Disk Caching for Data Disks
  • None: For write heavy data
  • ReadOnly Host Caching: For RO and RW, but low latency reads and high read IOPS
  • ReadWrite Host Caching: For RO and RW, used for C:\ (OS disk) or applications that support writing cached data
• Notes:
  • VM are assigned to Availability Set at the time of creation

Container

• Azure Container Instances ACI is PaaS without the need to manage VM or other services
• Azure Kubernetes Service AKS is an orchestration service to run containers
• Containers are mainly used for implementing microservice architecture

App Service

• Web Apps, API Apps, Mobile Apps, WebJobs
• Web App
  • Deployment slots: are staging environments before releasing to prod
• WebJobs run in the same context as Web Apps, API Apps or Mobile Apps
  • used for running background tasks