Manage Azure Storage

Let’s manage some files? The idea is the following, you need to evaluate the use of Azure storage for storing files residing currently in on-premises data stores. While majority of these files are not accessed frequently, there are some exceptions. You would like to minimize cost of storage by placing less frequently accessed files in lower-priced storage tiers. You also plan to explore different protection mechanisms that Azure Storage offers, including network access, authentication, authorization, and replication. Finally, you want to determine to what extent Azure Files service might be suitable for hosting your on-premises file shares.

Provision the lab environment

To start we need to deploy an Azure virtual machine that we will use later.

1.?Sign in to the?Azure portal.

2.?In the Azure portal, open the?Azure Cloud Shell?by clicking on the icon in the top right of the Azure Portal.

3.?If prompted to select either?Bash?or?PowerShell, select?PowerShell.

Note: If this is the first time you are starting?Cloud Shell?and you are presented with the?You have no storage mounted?message, select the subscription you are using in this lab, and click?Create storage.

4.?In the toolbar of the Cloud Shell pane, click the?Upload/Download files?icon, in the drop-down menu, click?Upload?and upload your VM template and VM parameters json files into the Cloud Shell home directory.

5.?From the Cloud Shell pane, run the following to create the resource group that will be hosting the virtual machine (replace the ‘[Azure_region]’ placeholder with the name of an Azure region where you intend to deploy the Azure virtual machine).

Note: To list the names of Azure regions, run?(Get-AzLocation).Location

Note: Each command below should be typed separately.

 $location = '[Azure_region]'
 $rgName = 'az104-07-rg0'
 New-AzResourceGroup -Name $rgName -Location $location        

6.?From the Cloud Shell pane, run the following to deploy the virtual machine by using the uploaded template and parameter files:

Note: You will be prompted to provide an Admin password.

New-AzResourceGroupDeployment `
   -ResourceGroupName $rgName `
   -TemplateFile $HOME/az104-07-vm-template.json `
   -TemplateParameterFile $HOME/az104-07-vm-parameters.json `
   -AsJob        

Note: Do not wait for the deployments to be completed. Proceed to the next task.

Note: If you got an error stating the VM size is not available please ask your instructor for assistance and try these steps.

1.? Click on the?{}?button in your CloudShell, select your vm parameters json file?from the left hand side bar and take a note of the?vmSize?parameter value.

2. Check the location in which the ‘az104-04-rg1’ resource group is deployed. You can run?az group show -n az104-04-rg1 --query location?in your CloudShell to get it.

3. Run?az vm list-skus --location <Replace with your location> -o table --query "[? contains(name,'Standard_D2s')].name"?in your CloudShell.

4. Replace the value of?vmSize?parameter with one of the values returned by the command you just run.

5. Now redeploy your templates by running the?New-AzResourceGroupDeployment?command again. You can press the up button a few times which would bring the last executed command.

7.?Close the Cloud Shell pane.

Create and configure Azure Storage accounts

In the next step we will create and configure an Azure Storage account.

1.?In the Azure portal, search for and select?Storage accounts, and then click?+ Create.

2.?On the?Basics?tab of the?Create storage account?blade, specify the following settings (leave others with their default values):

3.?Click?Next: Advanced >, on the?Advanced?tab of the?Create storage account?blade, review the available options, accept the defaults, and click?Next: Networking >.

4.?On the?Networking?tab of the?Create storage account?blade, review the available options, accept the default option?Enable public access from all networks?and click?Next: Data protection >.

5.?On the?Data protection?tab of the?Create storage account?blade, review the available options, accept the defaults, click?Review + Create, wait for the validation process to complete, and click?Create.

Note: Wait for the Storage account to be created. This should take about 2 minutes.

6.?On the deployment blade, click?Go to resource?to display the Azure Storage account blade.

7.?On the Storage account blade, in the?Data management?section, click?Redundancy?and note the secondary location.

8.?In the?Redundancy?drop-down list select?Locally redundant storage (LRS)?and save the change. Note, at this point, the Storage account has only the primary location.

9.?On the Storage account blade, in the?Settings?section, select?Configuration. Set?Blob access tier (default)?to?Cool and save the change.

Note: The cool access tier is optimal for data which is not accessed frequently.

Manage blob storage

In this task, you will create a blob container and upload a blob into it.

1.?On the Storage account blade, in the?Data storage?section, click?Containers, then click?+ Container.

2.?Create a container with the following settings:

3.?In the list of containers, click?az104-07-container?and then click?Upload.

4.?Browse, choose any text file on your computer, just for test, and click?Open.

5.?On the?Upload blob?blade, expand the?Advanced?section and specify the following settings (leave others with their default values):

Note: Access tier can be set for individual blobs.

6.?Click?Upload.

Note: Note that the upload automatically created a subfolder named?licenses.

7. Back on the?az104-07-container?blade, click?licenses?and then click?LICENSE.

8.?On the?licenses/LICENSE?blade, review the available options.

Note: You have the option to download the blob, change its access tier (it is currently set to?Hot), acquire a lease, which would change its lease status to?Locked?(it is currently set to?Unlocked) and protect the blob from being modified or deleted, as well as assign custom metadata (by specifying an arbitrary key and value pairs). You also have the ability to?Edit?the file directly within the Azure portal interface, without downloading it first. You can also create snapshots, as well as generate a SAS token (you will explore this option in the next task).

Manage authentication and authorization for Azure Storage

Next, we will configure authentication and authorization for Azure Storage.

1. On the licenses/LICENSE blade, on the Overview tab, click Copy to clipboard button next to the URL entry.

2. Open another browser window by using InPrivate mode and navigate to the URL you copied in the previous step.

3. You should be presented with an XML-formatted message stating ResourceNotFound or PublicAccessNotPermitted.

Note: This is expected, since the container you created has the public access level set to Private (no anonymous access).

4. Close the InPrivate mode browser window, return to the browser window showing the licenses/LICENSE blade of the Azure Storage container, and switch to the the Generate SAS tab.

5. On the Generate SAS tab of the licenses/LICENSE blade, specify the following settings (leave others with their default values):

6. Click Generate SAS token and URL.

7. Click Copy to clipboard button next to the Blob SAS URL entry.

8. Open another browser window by using InPrivate mode and navigate to the URL you copied in the previous step.

Note: If you are using Microsoft Edge, you should be presented with the The MIT License (MIT) page. If you are using Chrome, Microsoft Edge (Chromium) or Firefox, you should be able to view the content of the file by downloading it and opening it with Notepad.

Note: This is expected, since now your access is authorized based on the newly generated the SAS token.

Note: Save the blob SAS URL. You will need it later in this lab.

9. Close the InPrivate mode browser window, return to the browser window showing the licenses/LICENSE blade of the Azure Storage container, and from there, navigate back to the az104-07-container blade.

10. Click the Switch to the Entra ID User Account link next to the Authentication method label.

Note: You can see an error when you change the authentication method (the error is “You do not have permissions to list the data using your user account with Entra ID”). It is expected.

Note: At this point, you do not have permission to change the Authentication method.

11. On the?az104-07-container?blade, click?Access Control (IAM).

12. On the?Check access?tab, click?Add role assignment.

13. On the Add role assignment blade, specify the following settings:

14. Click?Review + Assign?and then?Review + assign and return to the?Overview?blade of the?az104-07-container?container and verify that you can change the Authentication method to (Switch to Entra ID User Account).

Note: It might take about 5 minutes for the change to take effect.

Create and configure an Azure Files shares

We are almost there. Now, we will create and configure Azure Files shares.

Note: Before you start this task, verify that the virtual machine you provisioned in the first task of this lab is running.

1. In the Azure portal, navigate back to the blade of the storage account you created in the first task of this lab and, in the Data storage section, click File shares.

2. Click + File share and create a file share with the name az104-07-share. You can change the name according to your company's definitions.

3. Click the newly created file share and click Connect.

4. On the Connect blade, ensure that the Windows tab is selected. Below you will find a button with the label Show Script.

5. Click on the button and you will find grey textbox with a script, in the bottom right corner of that box hover over the pages icon and click Copy to clipboard.

6. In the Azure portal, search for and select Virtual machines, and, in the list of virtual machines, click az104-07-vm0.

7. On the az104-07-vm0 blade, in the Operations section, click Run command.

8. On the az104-07-vm0 - Run command blade, click RunPowerShellScript.

9. On the Run Command Script blade, paste the script you copied earlier in this task into the PowerShell Script pane and click Run.

10. Verify that the script was completed successfully.

11. Replace the content of the PowerShell Script pane with the following script and click Run:

New-Item -Type Directory -Path 'Z:\az104-07-folder'

New-Item -Type File -Path 'Z:\az104-07-folder\az-104-07-file.txt'        

12. Verify that the script was completed successfully.

13. Navigate back to the az104-07-share file share blade, click Browse, and verify that az104-07-folder appears in the list of folders.

14. Click az104-07-folder and verify that az104-07-file.txt appears in the list of files.

Manage network access for Azure Storage

Finally, the last part. We need to configure network access for Azure Storage.

1. In the Azure portal, navigate back to the blade of the storage account you created in the first task of this lab and, in the Security + Networking section, click Networking and then click Firewalls and virtual networks.

2. Click the Enabled from selected virtual networks and IP addresses option.

3. Review the configuration settings that become available once this option is enabled.

Note: You can use these settings to configure direct connectivity between Azure virtual machines on designated subnets of virtual networks and the storage account by using service endpoints.

4. Click the checkbox Add your client IP address and save the change.

5. Open another browser window by using InPrivate mode and navigate to the blob SAS URL you generated in the previous task.

Note: If you did not record the SAS URL from task 4, you should generate a new one with the same configuration. Use Task 4 steps 4-6 as a guide for generating a new blob SAS URL.

6. You should be presented with the content of The MIT License (MIT) page.

Note: This is expected, since you are connecting from your client IP address.

7. Close the InPrivate mode browser window, return to the browser window showing the Networking blade of the Azure Storage account.

8. In the Azure portal, open the Azure Cloud Shell by clicking on the icon in the top right of the Azure Portal.

9. If prompted to select either Bash or PowerShell, select PowerShell.

10. From the Cloud Shell pane, run the following to attempt downloading of the LICENSE blob from the az104-07-container container of the storage account (replace the [blob SAS URL] placeholder with the blob SAS URL you generated in the previous task):

Invoke-WebRequest -URI '[blob SAS URL]'        

11. Verify that the download attempt failed.

Note: You should receive the message stating AuthorizationFailure: This request is not authorized to perform this operation. This is expected, since you are connecting from the IP address assigned to an Azure VM hosting the Cloud Shell instance.

12. Close the Cloud Shell pane.