Azure Storage Accounts
Every application needs a place to store data — files, images, backups, logs, or database records. Azure Storage is the cloud storage solution from Microsoft that provides highly available, secure, durable, and massively scalable storage. An Azure Storage Account is the container that holds all Azure storage services together under one roof.
What is an Azure Storage Account?
An Azure Storage Account is an Azure resource that provides access to the Azure Storage services. When a storage account is created, it gets a globally unique name that forms the base URL for accessing data stored within it.
All data in an Azure Storage Account is encrypted at rest automatically using Microsoft-managed keys. Data is also replicated for durability — even the cheapest redundancy option keeps three copies of data in the same data center.
Storage Account URL Structure
Storage Account Name: mystorageaccount Blob Storage URL: https://mystorageaccount.blob.core.windows.net File Storage URL: https://mystorageaccount.file.core.windows.net Queue Storage URL: https://mystorageaccount.queue.core.windows.net Table Storage URL: https://mystorageaccount.table.core.windows.net
Azure Storage Services
One storage account can provide access to four distinct storage services:
Diagram – Storage Account and Its Services
┌────────────────────────────────────────────────────┐ │ Azure Storage Account │ │ │ │ ┌──────────────┐ ┌──────────────────────────┐ │ │ │ Blob Storage│ │ File Storage │ │ │ │ (Objects/ │ │ (Managed File Shares / │ │ │ │ Files) │ │ SMB / NFS Protocol) │ │ │ └──────────────┘ └──────────────────────────┘ │ │ │ │ ┌──────────────┐ ┌──────────────────────────┐ │ │ │Queue Storage │ │ Table Storage │ │ │ │(Message Queue│ │ (NoSQL key-value store) │ │ │ │ for async │ │ │ │ │ │ processing) │ │ │ │ │ └──────────────┘ └──────────────────────────┘ │ └────────────────────────────────────────────────────┘
| Service | Data Type | Best For |
|---|---|---|
| Blob Storage | Unstructured data: images, videos, backups, documents | Static website content, media streaming, data lake storage |
| File Storage | File shares accessible over SMB or NFS protocol | Shared drives for VMs, lift-and-shift of on-premises file servers |
| Queue Storage | Messages up to 64 KB each | Decoupling application components, async task processing |
| Table Storage | Key-value data with flexible schema | Storing IoT sensor data, user sessions, lookup tables |
Storage Account Types
| Account Type | Services Supported | Performance | Best For |
|---|---|---|---|
| Standard general-purpose v2 (GPv2) | Blob, File, Queue, Table | Standard (HDD) | Most use cases — the default and recommended type |
| Premium Block Blobs | Block Blob only | Premium (SSD) | AI/ML workloads, analytics, high-transaction scenarios |
| Premium File Shares | File only | Premium (SSD) | Enterprise file applications requiring low latency |
| Premium Page Blobs | Page Blob only | Premium (SSD) | Virtual machine disks (VHD files) |
Storage Redundancy Options
Azure automatically replicates stored data to protect against hardware failures, power outages, and natural disasters. The level of replication is controlled by the redundancy option chosen at the time of account creation.
| Redundancy | Copies | Where Replicated | Protects Against |
|---|---|---|---|
| LRS (Locally Redundant Storage) | 3 | Same data center (single building) | Drive and rack failures |
| ZRS (Zone Redundant Storage) | 3 | Three availability zones in same region | Data center failures within a region |
| GRS (Geo Redundant Storage) | 6 | 3 copies in primary region + 3 copies in paired region | Regional disasters and outages |
| GZRS (Geo Zone Redundant Storage) | 6 | 3 across zones in primary region + 3 in paired region | Zone + regional failures (highest durability) |
| RA-GRS | 6 | Same as GRS but secondary copy is readable | Regional outages with read availability during failure |
Diagram – GRS Replication
Primary Region: East US
┌────────────────────────────────┐
│ LRS: 3 copies within one │
│ data center (rack A, B, C) │
└───────────────┬────────────────┘
│
│ Async replication
▼
Secondary Region: West US (paired)
┌────────────────────────────────┐
│ LRS: 3 copies within one │
│ data center (read-only) │
└────────────────────────────────┘
Storage Account Security
Access Keys
Every storage account has two 512-bit access keys that grant full access to all data. These keys should be stored securely in Azure Key Vault and rotated regularly.
Shared Access Signatures (SAS)
A SAS token is a URL string that grants limited, time-bound access to specific storage resources. Instead of sharing the full access key, a SAS token can be generated to allow a specific operation (like reading one file) that expires after a set time.
Example: SAS URL for a Blob
https://mystorageaccount.blob.core.windows.net/photos/image1.jpg ?sv=2023-01-03 &st=2024-01-01T00:00:00Z ← Start time &se=2024-01-02T00:00:00Z ← Expiry time (24 hours) &sr=b ← Resource type: blob &sp=r ← Permission: read only &sig=AbCdEf... ← Cryptographic signature
Storage Firewall and Virtual Network Rules
By default, a storage account accepts connections from all networks. The storage firewall can restrict access to specific IP ranges or specific Azure VNets, preventing unauthorized access from the public internet.
Storage Access Tiers (Blob Storage)
Blob Storage offers different access tiers to optimize cost based on how frequently data is accessed:
| Tier | Access Frequency | Storage Cost | Access Cost | Best For |
|---|---|---|---|---|
| Hot | Frequently accessed | Higher | Lower | Active website content, frequently updated files |
| Cool | Infrequently accessed (30+ days) | Lower | Higher | Backups, disaster recovery, older media files |
| Cold | Rarely accessed (90+ days) | Even Lower | Higher | Long-term archives accessed occasionally |
| Archive | Very rarely accessed (180+ days) | Lowest | Highest + rehydration time | Compliance archives, legal records, raw data backups |
Key Takeaways
- An Azure Storage Account is the top-level container that provides access to Blob, File, Queue, and Table storage services.
- General-purpose v2 (GPv2) is the default and most widely used storage account type.
- Redundancy options range from LRS (single data center, 3 copies) to GZRS (zone + geo redundant, 6 copies).
- Access keys provide full access; SAS tokens provide limited, time-bound access for secure data sharing.
- Blob access tiers (Hot, Cool, Cold, Archive) allow cost optimization based on how often data is accessed.