Azure Blob Storage for Beginners: Private Access, SAS Tokens & Cost Savings Explained

#azure #tutorial #beginners #security

What is a Microsoft Azure Blob storage?
A Microsoft Azure blob storage is a object storage for files, images, backups, videos, logs, static websites, etc. Think of it as "cloud hard drives accessible over HTTP".
What is Private Access?
Private access simply relates to permissions. To buttress further, it means files can not be accessed unless the requester is authenticated or explicitly authorized.

What is SAS Tokens?
A SAS (shared Access Signature) token in MS Azure is a secure, temporary permission token for accessing storage resources ie files, images, videos, etc as explained in blob storage above. The lifecycle of the token can last for 1hour, 24hours, it can last as long as you want them to have access to your blob.

What is Cost Savings?
As the title says, it simply means achieving desired results without spending too much.
What is GRS Redundancy?
It is a replication option that protects your data by copying it to another Azure region automatically, it keeps data safe across regions.

What we will build:
•Using GRS redundancy, we will build a private storage account.
•A restricted blob container for internal documents.
•A time-limited SAS token for partner access.
•Automated lifecycle rules to move blobs to Cool tier after 30 days.
•Cross-account object replication for public website backup.

Step1 login in to your Azure portal and use the search bar to look up storage accounts.
,
select +Create so you can start

-Create a new resource group
-Choose a storage name that is globally unique and let all letters be lowercase
-Performance should be standard.
-Review and create

The moment your storage account has been deployed, go to resource so you can have an overview of the storage account and make adjustments when due.

Next step is to select geo-redundancy storage and the image below will guide us

In the Storage Account, navigate to the Data Storage section and select Containers. Click +Container to create a new container.
Configure the container with the following settings:
Container name: Private
Public access level: Private (no anonymous access)
Why use a private container?
Setting the container access level to Private prevents unauthorized users from viewing or downloading files through a direct URL. Access is only possible through authorized methods such as an account key or a Shared Access Signature (SAS) token. This helps protect internal company files from being exposed to the public internet.
For testing, upload a file to the private container. The type of file doesn’t matter. A small image or text file is a good choice. Test to ensure the file isn’t accessible to everyone

Select the container.
Select Upload.
Browse to files and select a file.
Upload the file.
Select the uploaded file.
Paste the URL into a new browser tab.

Verify the file doesn’t display and you receive an error. You should see a Resource Not Found or 403 (Forbidden) error message, this is correct! It confirms your container is very very safe and secure from prying eyes.

Configure and Test a SAS Token

An external partner requires access to the file for the next 24 hours. To configure and test a Shared Access Signature (SAS), follow these steps:
Select the uploaded blob file and navigate to the Generate SAS tab.
Click Generate SAS token and URL.
Copy the generated Blob SAS URL immediately. Azure will not display it again after you close the panel.
Treat the SAS URL like a password and do not share it publicly.
In the Permissions section, grant only the required access permissions, such as Read or Write, based on the partner’s needs.
Verify that the Start date/time and Expiry date/time are configured for the next 24 hours (or the requested duration).
Test the SAS URL
Copy the Blob SAS URL and open it in a new browser tab.
Confirm that the file is accessible:
If the file is an image, it will display directly in the browser.
Other file types may automatically download instead.

Now copy this new URL and paste on your browser and you would see it now reads, it will be able to be visible to the general public for the next 24hrs after that no more.

Configure Storage Access Tiers and Content Replication
To reduce storage costs, configure a lifecycle management rule that automatically moves blobs from the Hot access tier to the Cool access tier after 30 days.
Create a new storage account and name it publicwebbsite
To achieve this, inside the publicwebbsite storage account let us create another container and call it backup

Hot vs. Cool Storage

Azure storage pricing is based on how frequently data is accessed:
Hot tier – Designed for data that is accessed frequently. It offers faster access but at a higher storage cost.
Cool tier – Intended for data that is accessed infrequently. It is more cost-effective but may have slightly slower access times.
Lifecycle management rules automate this transition, eliminating the need to manually move files between tiers.
Configure a Lifecycle Management Rule
Return to the Storage Account.
In the Overview section> Properties> Blob service , verify that the Default access tier is set to Hot.
Under the Data Management section, select Lifecycle management.
Click Add a rule.
Configure the rule with the following settings:
Rule name: movetocool
Rule scope: Apply rule to all blobs in the storage account
Select Next.
Ensure Last modified is selected.
Set More than (days ago) to 30.
From the action drop-down menu, select Move to cool storage.
Review any additional lifecycle management options if desired.
Select Add a rule to create the rule.
Content Replication Requirement
The public website files should also be replicated and backed up to another storage account to improve redundancy and ensure data protection, to do that follow the steps in the annotated images below.