Provide private storage for internal company documents

Create a storage account and configure high availability.

1. Create a storage account for the internal private company documents.

• In the portal, search for and select Storage accounts.
  

• Select + Create.
  

• Select the Resource group created in the previous lab.
  

• Set the Storage account name to private. Add an identifier to the name to ensure the name is unique.

• Select Review, and then Create the storage account.
  

• Wait for the storage account to deploy, and then select Go to resource.

1. This storage requires high availability if there’s a regional outage. Read access in the secondary region is not required. Configure the appropriate level of redundancy.

Explanation

A storage account is like a digital locker in the cloud. Resource group is a folder that organizes related services.
High availability means your files stay safe even if one region (data center area) has problems

Configure Redundancy

• In the storage account, in the Data management section, select the Redundancy blade.
  

• Ensure Geo-redundant storage (GRS) is selected.
  
  

• **Refresh **the page.
  

• Review the primary and secondary location information.
  

• Save your changes.
  

Explanation:

Redundancy means keeping copies of your files in multiple places.
GRS ensures your files are copied to another region for safety.

Create a storage container, upload a file, and restrict access to the file.

1. Create a private storage container for the corporate data.

• In the storage account, in the Data storage section, select the Containers blade.
  

• Select + Container.
  

• Ensure the Name of the container is private.

• Ensure the Public access level is Private (no anonymous access).
  

• As you have time, review the Advanced settings, but take the defaults. It means: don’t change anything in the Advanced settings unless the lab specifically tells you to.
  

Azure already chooses safe, recommended defaults for you.

• Select Create.

Explanation:

A container is like a folder inside your storage account. Setting Public access level to Private means nobody can see files unless you give them permission.

1. Upload a File and Test Privacy For testing, upload a file to the private container. The type of file doesn’t matter. A small image or text file is a good choice. Test to ensure the file isn’t publically accessible.

• Select the container.
  

• Select Upload.
  

• Browse to files and select a file.
  

• Upload the file.
  

• Select the uploaded file.
  

• On the Overview tab, copy the URL.
  

• Paste the URL into a new browser tab.
  https://privatemikkystorage.blob.core.windows.net/private/cli issue.PNG

• Verify the file doesn’t display and you receive an error.

Explanation:

This test shows that your file is truly private — only authorized users can access it.

1. Configure Shared Access Signature (SAS) An external partner requires read and write access to the file for at least the next 24 hours. Configure and test a shared access signature (SAS).

• Select your uploaded blob file and move to the Generate SAS tab.

• In the Permissions drop-down, ensure the partner has only Read permissions.
  

• Verify the Start and expiry date/time is for the next 24 hours.
  Incorrect
  

Correct to 24 hrs

• Select Generate SAS token and URL.
  

• Copy the Blob SAS URL to a new browser tab.

• Verify you can access the file. If you have uploaded an image file it will display in the browser. Other file types will be downloaded.

Explanation:

SAS is a temporary key that lets someone access a file for a limited time.
Blob is just Azure’s word for a file stored in the cloud.

Configure storage access tiers and content replication.

1. To save on costs, after 30 days, move blobs from the hot tier to the cool tier.

• Return to the storage account.

• In the Overview section, notice the Default access tier is set to Hot
  

• In the Data management section, select the Lifecycle management blade.
  

• Select Add rule.
  

• Set the Rule name to movetocool.
  

• Set the Rule scope to Apply rule to all blobs in the storage account.
  

• Select Next.
  

• Ensure Last modified is selected.
  

• Set More than (days ago) to 30.
  

• In the Then drop-down select Move to cool storage.
  

• As you have time, review other lifecycle options in the drop-down.
  

• Add the rule.
  

Explanation:

Hot tier = files used often (fast but more expensive).
Cool tier = files used less often (cheaper).
This rule saves money by moving older files to cheaper storage.

1. Back Up Public Website Storage The public website files need to be backed up to another storage account.

• In your storage account, create a new container called backup. Use the default values. Refer back to Lab 02a if you need detailed instructions.
  
  Container created
  

• Navigate to your publicwebsite storage account. This storage account was created in the previous exercise.
  

  • In the Data management section, select the Object replication blade.
  • Select Create replication rules.
  • Set the Destination storage account to the private storage account.
  • Set the Source container to public and the Destination container to backup.
  • Create the replication rule. replication successful

• Optionally, as you have time, upload a file to the public container.
  
  
  
  

Return to the private **storage account and refresh the **backup container.

Within a few minutes your public website file will appear in the backup folder.

Explanation:

Object replication automatically copies files from your public site into your private backup, keeping everything safe.

Upload to the Public Container
Go into your storage account (the one you created in Lab 02a for the public website).
Open the container named public.
Click Upload and choose a file (for example, a picture or text file).
Once uploaded, that file is now available for public access through its URL.
Refresh the Backup Container
Switch back to your private storage account (the one holding your secure containers).
Open the container named backup.
Click Refresh.

Within a few minutes, you should see the file you uploaded to the public container appear automatically in the backup container. This happens because the lab setup includes a data protection feature that copies public website files into backup storage for safety.

Resource Group Reminder
All of these containers (public, private, backup) live inside the same resource group you created at the very beginning.
That resource group is the folder holding your storage account and all containers.

Public container → serves files to the website.
Backup container → automatically keeps a copy for recovery.
Resource group → keeps everything organized in one place, so you can delete or manage them together later.

Upload file → public container.
Azure automatically backs it up → backup container.
Both containers live inside your resource group (e.g., RG-StorageLab)

Conclusion
By following these exact steps, we’ve:
Created a secure storage account.
Configured redundancy for high availability.
Built a private container.
Tested file privacy.
Shared files safely with SAS.
Set lifecycle rules to save money.
Backed up your public website storage.
This ensures your company’s documents are private, secure, and always available.