DEV Community

Cover image for Setting Up Private Storage for Internal Company Documents
SULIAT
SULIAT

Posted on

Setting Up Private Storage for Internal Company Documents

#devops #azure #cloud #learning

Introduction:

In my previous post, we explored Azure Storage and created a public website together. We established that a public website is one where all content is openly visible and accessible to anyone on the internet, just like Amazon, Temu, or Shein. When you visit Amazon to shop, every product image, description, and listing you see is publicly available. No login, no permission, and no special access is required. That is what makes it public.
Today, we are moving in a different direction. We are focusing on private storage for internal company documents, content that is not meant for everyone, but only for those who are specifically granted access. To achieve this, we will create a storage account, set up a container with restricted access inside it, configure a Shared Access Signature for partners, back up our public website storage, and implement lifecycle management to automatically move content to the cool tier.

Setting Up and Managing Private Storage

Before we dive in, it helps to understand Azure Storage's structure. Think of a storage account as a warehouse containers are the sections inside it that organize everything stored. Every file must live inside a container, you cannot store anything without one. The container we are creating today has restricted access, meaning unlike a public container where anyone with a link can view content, this one requires explicit permission. We will also back up the public website storage created previously, ensuring your content can be restored if anything goes wrong.
Equally important is lifecycle management. Think of how Amazon handles slow-selling products after weeks of inactivity, the algorithm quietly moves them away from prominent results without deleting them. Azure Storage works the same way. By default, content sits in the hot tier, designed for frequent access. When content goes untouched for a set period, such as 30 days, a lifecycle rule automatically moves it to the cool tier, which is more cost-effective for rarely accessed content. Nothing is deleted it simply moves to a more appropriate tier, quietly and automatically.
Since this is a private storage account, access requires a SAS token (Shared Access Signature). Rather than exposing your entire storage account, a SAS token grants specific access to one file for a limited window say, 12 hours after which it expires automatically. This gives external collaborators controlled, temporary access to private content without compromising your storage account's security.
Now, let us walk through the steps on how to set all of this up:

Create a storage account and configure high availability.

1. Create a storage account for the internal private company documents.

  • In the portal, search for and select Storage accounts. accounts
  • Select + Create.

create

  • Select the Resource group created in the previous lab.

group

  • Set the Storage account name to private. Add an identifier to the name to ensure the name is unique.

Private

  • Select Review, and then Create the storage account.

review

  • Wait for the storage account to deploy, and then select Go to resource.

go to

2. This storage requires high availability if there’s a regional outage. Read access in the secondary region is not required. Configure the appropriate level of redundancy.

  • In the storage account, in the Data management section, select the Redundancy blade.

blade

  • Ensure Geo-redundant storage (GRS) is selected.

GRS

  • Refresh the page.

Refresh

  • Review the primary and secondary location information.

location

  • Save your changes.

save

Create a storage container, upload a file, and restrict access to the file.

1. Create a private storage container for the corporate data.

  • In the storage account, in the Data storage section, select the Containers blade.

container

  • Select + Container.

blade

  • Ensure the Name of the container is private. Ensure the Public access level is Private (no anonymous access).

access

  • As you have time, review the Advanced settings, but take the defaults.

Itime

  • Select Create.

select
2. For testing, upload a file to the private container. he type of file doesn’t matter. A small image or text file is a good choice. Test to ensure the file isn’t publicly accessible.

  • Select the container.

Ithe

  • Select Upload.

upload

  • Browse to files and select a file.

Ifiles

  • Upload the file.

UPLOAD

  • Select the uploaded file.

Id

  • On the Overview tab, copy the URL.

tab

  • Paste the URL into a new browser tab.

new

  • Verify the file doesn’t display and you receive an error.

display
3. An external partner requires read and write access to the file for at least the next 24 hours. Configure and test a shared access signature (SAS).

  • Select your uploaded blob file and move to the Generate SAS tab.

sas

  • In the Permissions drop-down, ensure the partner has only Read permissions.

partner

  • Verify the Start and expiry date/time is for the next 24 hours.

start

  • Select Generate SAS token and URL.

URL

  • Copy the Blob SAS URL to a new browser tab.

Image

  • Verify you can access the file. If you have uploaded an image file it will display in the browser. Other file types will be downloaded.

browser

Configure storage access tiers and content replication.

  1. To save on costs, after 30 days, move blobs from the hot tier to the cool tier.
    • Return to the storage account.

Return

  • In the Overview section, notice the Default access tier is set to Hot.

hot

  • In the Data management section, select the Lifecycle management blade.

life

  • Select Add rule.

add rule

  • Set the Rule name to movetocool.

move

  • Set the Rule scope to Apply rule to all blobs in the storage account and select Next.

Scope

  • Ensure Last modified is selected.

last

  • Set More than (days ago) to 30.

MORE

  • In the Then drop-down select Move to cool storage.

COOL

  • As you have time, review other lifecycle options in the drop-down. Add the rule.

DROP
2. The public website files need to be backed up to another storage account.

  • In your storage account, create a new container called backup.

new back

  • Navigate to your publicwebsite storage account. This storage account was created in the previous exercise.

previous

  • In the Data management section, select the Object replication blade.

object

  • Select Create replication rules.

replication

  • Set the Destination storage account to the private storage account.

destination

  • Set the Source container to public and the Destination container to backup.

source

  • Create the replication rule.

Imaged

  • Upload a file to the public container. Return to the private storage account and refresh the backup container. Within a few minutes your public website file will appear in the backup folder.

step 1

Step 2

Conclusion:

With these steps, your private storage environment is fully configured. You have built a storage environment that is secure, organized, and cost-aware. Your private container is configured, your public storage is backed up, lifecycle management is running automatically, and SAS tokens are in place to control external access.

Top comments (0)