Introduction
Every company has data it simply cannot afford to lose or expose such as internal documents, financial records, HR files, department reports which live at the heart of how a business operates. But when your company spans multiple offices across different regions, keeping that data private, protected, and always available becomes a real challenge.
The Finance team in one city needs to confirm cost data for an audit. The Operations team in another needs last quarter's reports. An external partner needs temporary access to a single file. Meanwhile, your public website is quietly generating data that needs backing up every single day.
One missing file, one regional outage, one accidental leak and the consequences ripple across departments, auditors, and clients.
This guide fixes all three problems which are private storage, high availability, and automated backup all step by step.
What You're Building
By the end of this guide you'll have:
✅ A private storage account nobody can access without permission
✅ Geo-redundant backup across two Azure regions
✅ A locked-down container for company documents
✅ Temporary partner access via expiring links (no shared passwords)
✅ Automatic file tiering to cut costs after 30 days
✅ Automated backup replication from your public website storage
Step 1: Create the Private Storage Account
This is your company's secure vault in the cloud.
- In Azure Portal, search for Storage accounts
- Click + Create
- Select your existing resource group
- Name it
privateplus a unique identifier (likeprivate2026) - Choose Azure blob storage for primary service
- Click Review
- Then Create
- Wait for deployment, then click Go to resource
Step 2: Set Up Geo-Redundant Storage (GRS)
One copy of your data is not enough. GRS keeps a second copy in a completely separate Azure region so that a regional outage doesn't take your data with it.
- In your storage account, go to Data management → Redundancy
- Select Geo-redundant storage (GRS) from the dropdown
- Click Save
- Refresh page
You'll now see two locations listed; your primary region and a secondary region. Your data lives in both. If one disappears, the other keeps your business running.
Step 3: Create a Private Container
Containers are how you organise files within your storage account. This one is strictly private.
- Go to Data storage → Containers
- Click + Container
- Set the name to
private - Keep Public access level as Private (no anonymous access)
- Click Create
Step 4: Upload a File and Confirm It's Private
Let's test that privacy actually works.
- Click on your private container
- Click Upload and choose any file from your computer
- Click Upload
- Click on the uploaded file
- Copy the URL from the Overview tab
- Open a new browser tab and paste the URL
You should see an error like "ResourceNotFound" or "Public access is not permitted."
That error is the correct result. Your file is private. 🔒
Step 5: Grant Temporary Partner Access via SAS
Your external partner needs to view one file for 24 hours. You don't want to give them an account, a password, or permanent access. SAS tokens are the answer. A self-expiring link that works once, for a set time, then stops.
- Click on your uploaded file
- Go to the Generate SAS tab
- Set Permissions to Read only
- Check that the expiry is set to 24 hours from now
- Click Generate SAS token and URL
- Copy the Blob SAS URL
- Paste it in a new browser tab
The file loads! But exactly 24 hours later, the same link will not work.
Step 6: Auto-Move Old Files to Cool Storage
Files you haven't touched in 30 days cost the same as files you use every day. That's wasteful and this rule fixes it automatically.
- In your storage account, go to Data management → Lifecycle management
- Click Add rule
- Name it
movetocool - Set the scope to
Apply rule to all blobs in the storage account - Click Next
- Keep Last modified selected
- Set **More than (days ago) **to
30 - In the Then dropdown, select
Move to cool storage - Click Add
Files sit in hot storage while active, then quietly move themselves to the cheaper cool tier after a month.
Step 7: Create a Backup Container
Before setting up automatic replication, you need somewhere to receive the backup files.
- In your private storage account, go to Data storage → Containers
- Click + Container
- Name it
backup - Keep the defaults and click Create
This container will receive automatic copies of your public website files.
Step 8: Set Up Automatic Website Backup (Object Replication)
Your public website storage has files that need backing up. Instead of doing it manually, set up a replication rule that copies files automatically in the background.
- Go to your public website storage account (from your previous setup, check my older articles if you need guide)
- Navigate to Data management → Object replication
- Click Create replication rules
- Set Destination storage account to your
private storage account - Set Source container to
public - Set Destination container to
backup - Click Create
From now on, any file uploaded to your public website container will automatically appear in your private backup container within a few minutes.
Test the Replication (Optional)
- Go to your public website storage account
- Upload any file to the public container
- Wait 3-5 minutes
- Go back to your private storage account
- Open the backup container
Your file appears there automatically.
You've got a live backup running in the background. ✅
Common Issues
- Seeing "Public access not permitted" error when testing: That's correct, it means your privacy settings are working. Only your SAS URL should load the file.
- SAS URL not working: Check the expiry time, it may have already passed. Generate a new one.
- Replication not showing up in backup container: Give it 5-10 minutes. Object replication isn't instant. If it still doesn't appear after 15 minutes, verify both containers exist and the rule is enabled.
Which department in your company would benefit most from this setup first? Finance, HR, or IT? Drop it in the comments, I'd love to know what you're protecting.
Top comments (0)