Providing private storage for internal company documents using Azure cloud

In this article, we will be providing private storage to different departments of an online content hosting company. The content is private to the company and shouldn’t be shared without consent. The storage will also be used as a backup to the public website. Thus, the storage requires high availability in case of a disaster occurrence.

Create a storage account and configure high availability.

1. Create a storage account for the internal private company documents.

• In the portal, search for and select Storage accounts.
• Select + Create.

• Set the Storage account name to private. Add an identifier to the name to ensure the name is unique.
• Select Review, and then Create the storage account.
• Wait for the storage account to deploy, and then select Go to resource.

2. This storage requires high availability if there’s a regional outage. Read access in the secondary region is not required. Configure the appropriate level of redundancy.

• In the storage account, in the Data management section, select the Redundancy blade.
• Ensure Geo-redundant storage (GRS) is selected.
• Refresh the page.
• Review the primary and secondary location information.
• Save your changes.

GRS replicates data to a secondary region without read access.

Create a storage container, upload a file, and restrict access to the file.

1. Create a private storage container for the corporate data.

• In the storage account, in the Data storage section, select the Containers blade.
• Select + Container.
• Ensure the Name of the container is private.
• Ensure the Public access level is Private (no anonymous access).
• As you have time, review the Advanced settings, but take the defaults.
• Select Create.

2. Upload a file to the private container to test that the file isn’t publicly accessible.

• Select the container.
• Select Upload.
• Browse to files and select a file.
• Upload the file.
• Select the uploaded file.

• On the Overview tab, copy the URL.
• Paste the URL into a new browser tab.

• Verify the file doesn’t display, and you receive an error.

The error message displays that "Public access is not permitted on this storage account." This means that the storage is only accessible to employees' devices/ IP addresses.

3. An external partner requires read access to the file for at least the next 24 hours. Configure and test a shared access signature (SAS).

SAS (Shared Access Signature) enables secure, delegated access to storage account resources with detailed control over permissions and access duration. Thus, enhancing data security while allowing clients to interact with storage without needing full account permissions.

There are three types of SAS:
User delegation SAS - Secured with Microsoft Entra credentials.
Service SAS - Secured with the storage account key, limited to one service.
Account SAS - Secured with the storage account key, allows access across multiple services.

• Select your uploaded blob file and move to the Generate SAS tab.
• In the Permissions drop-down, ensure the partner has only Read permissions.
• Verify the Start and expiry date/time is for the next 24 hours.
• Select Generate SAS token and URL.

In the image above Allowed IP address allows you to control which external devices can have access to the company's private content.

• Verify you can access the file. If you have uploaded an image file it will display in the browser. Other file types will be downloaded.

Configure storage access tiers and content replication.

1. To save on costs, after 30 days, move blobs from the hot tier to the cool tier.

Implementing lifecycle management policies optimizes storage costs by automating the management of blob data according to its lifecycle, enhancing efficiency and reducing expenses

• Return to the storage account.
• In the Overview section, notice the Default access tier is set to Hot.

• In the Data management section, select the Lifecycle management blade.
• Select Add rule.

• Set the Rule name to movetocool.
• Set the Rule scope to Apply rule to all blobs in the storage account.
• Select Next.

• Ensure Last modified is selected.
• Set More than (days ago) to 30.
• In the Then drop-down select Move to cool storage.
• Add the rule.

The rule is added as an IF THEN condition.

2. The public website files need to be backed up to another storage account.

In your storage account, create a new container called backup. Use the default values.

Navigate to your publicwebsite storage account. This storage account was created in the previous post, "Providing storage for a public website".

• In the Data management section, select the Object replication blade.
• Select Create replication rules.

• Set the Destination storage account to the private storage account.
• Set the Source container to public and the Destination container to backup.
• Create the replication rule.

Whenever a blob is uploaded on the public storage account, it will be replicated in the private backup storage account. This is how data can be backed up in Azure Cloud.

In this walkthrough, you configured a private Azure storage solution covering geo redundancy, access restriction, SAS tokens for external partners, lifecycle cost management, and cross account replication for backup. These foundational Azure Blob Storage features work together to keep company data secure, available, and cost efficient, even at scale.

Feel free to leave a reaction, drop a comment with any questions, or share it with someone who's just getting started with Azure storage!