How to Store Private Files in Azure Blob Storage

How to Store Private Files in Azure Blob Storage

Azure Blob Storage is a great way to host both public website content and private company files. In this post, I’ll guide you through:

• Adding safety features like soft delete and versioning
• Creating a private storage account for sensitive documents
• Giving temporary access using SAS (Shared Access Signatures)
• Using lifecycle rules to manage storage costs
• Setting up replication to back up files from one storage account to another

Let’s dive in.

---

☁️ Part 1: Set Up a Public Storage Account

🔧 Step 1: Create the Storage Account

1. Log in to the Azure Portal.
2. Search for "Storage accounts" and click + Create.
3. Create a new resource group (e.g., storage-rg).
4. Name your account something like privatewebsitemyezekiel (the name must be globally unique).
5. Click Review + Create, then Create.

🔐 Part 2: Store Internal Documents in a Private Container

🔧 Step 1: Create the Private Storage Account

1. Create another storage account (e.g., privatewebsitemyezekiel) in the same resource group.
2. Click Review + Create, then Create.

---

🌐 Step 2: Enable Geo-Redundant Storage (GRS Only)

1. In the storage account, go to Redundancy.
2. Select Geo-redundant storage (GRS) — no read access needed.
3. Save the setting.

---

📁 Step 3: Create a Private Container

1. Go to Containers → click + Container.
2. Name it private.
3. Set Public access level to Private (no anonymous access).
4. Click Create.

---

🚫 Step 4: Test That the File Is Not Public

1. Upload a small file.
2. Copy the Blob URL and try to open it in a browser — it should not open.

---

🔐 Step 5: Grant Temporary Access with SAS

1. Click on the uploaded file → go to the Generate SAS tab.
2. Grant Read permission.
3. Set an expiry of 24 hours.
4. Click Generate SAS token and URL.
5. Open the URL in a browser to test.

✅ The file should now load only with this link.

---

🧊 Step 6: Use Lifecycle Rules to Save Costs

1. Go to Lifecycle management.
2. Click Add rule.
3. Name it movetocool.
4. Apply to all blobs → set rule to "Last modified more than 30 days" → Move to cool tier.
5. Save the rule.

🔁 Step 7: Backup Public Files with Replication

1. In the private storage account, create a new container named backup.
2. Go to the public storage account → Object replication.
3. Create a replication rule:

• Destination account: private storage
• Source container: public
• Destination container: backup
  1. Upload a file to public, and it will appear in backup after a few minutes.

---

✅ Summary

Here’s what we’ve accomplished:

Feature	Public Account	Private Account
High Availability	RA-GRS	GRS
Anonymous Access	Enabled	Disabled
Soft Delete	Enabled (21 days)	Optional
Blob Versioning	Enabled	Optional
SAS Access	Not needed	Used for secure sharing
Lifecycle Management	Move to cool after 30 days	Same
Replication	From public to backup	As destination only

This setup ensures that public content is easily accessible and private files are secure, while still keeping your storage cost-effective and recoverable.