Azure Storage
Use storage accounts, blob tiers, redundancy options, and secure access.
A storage account is the container for Azure’s storage services: Blob (objects), Files (SMB shares), Queues, and Tables. Two dimensions you must understand for AZ-104:
- Access tiers (Blob): Hot (frequent), Cool (infrequent, ~30 days), Cold, Archive (rare, hours to retrieve). Cheaper storage = costlier/slower access.
- Redundancy: LRS (3 copies in one datacenter), ZRS (across zones), GRS (replicated to a paired region), GZRS (zones + region).
Secure access with Entra ID + RBAC (preferred), SAS tokens (scoped, time-limited), or account keys (avoid). Lifecycle rules auto-move blobs to cheaper tiers as they age.
az storage account create -g rg-data -n stmyapp01 \
--sku Standard_GRS --access-tier Hot
# Generate a read-only SAS for a blob, valid 1 hour
az storage blob generate-sas --account-name stmyapp01 \
-c uploads -n report.pdf --permissions r \
--expiry 2026-06-22T15:00Z- Choose an access tier for: live website assets, monthly backups, 7-year archives.
- Pick a redundancy option that survives a full region outage.
- Explain why a SAS token is safer to share than an account key.
- Describe a lifecycle rule that archives blobs older than 90 days.
Cheat Sheet▾
| Option | Use |
|---|---|
| Hot tier | Frequent access |
| Cool / Cold | Infrequent (30+ days) |
| Archive | Rare, slow retrieval |
| LRS | 3 copies, one datacenter |
| ZRS | Across availability zones |
| GRS / GZRS | Replicated to paired region |
| SAS token | Scoped, time-limited access |
Common Interview Questions▾
What are Azure Blob access tiers?
Hot (frequent access, higher storage cost), Cool/Cold (infrequent, lower storage but higher access cost), and Archive (rarely accessed, cheapest, retrieval takes hours). Lifecycle policies move data between them.
What's the difference between LRS, ZRS, and GRS?
LRS keeps three copies in one datacenter; ZRS spreads copies across availability zones; GRS also replicates to a paired region for regional disaster protection.
Why prefer a SAS token over the storage account key?
A SAS grants narrowly scoped, time-limited, permission-specific access, whereas the account key grants full control and can’t be easily revoked without rotation.