This chapter covers Azure Blob Storage development, a core topic for the AZ-204 exam. Blob storage is Microsoft's object storage solution for the cloud, used for storing massive amounts of unstructured data. Expect approximately 15-20% of exam questions to touch on blob storage, including its features, access methods, security, and optimization techniques. Mastering this chapter is essential for passing the exam.
Jump to a section
Imagine a massive warehouse with three distinct storage areas: a high-speed shelf right at the loading dock (Hot tier), a slightly farther shelf that takes a bit longer to retrieve (Cool tier), and a deep archive vault in the basement accessible only by request (Archive tier). Blobs are like boxes placed on these shelves. Each box has a unique barcode (URL) and can contain any type of product (data). The warehouse manager (Azure Storage) uses a catalog (container) to organize boxes. When a customer wants a box, they call the warehouse with the barcode (HTTP request). The manager checks the catalog, finds the shelf location, and retrieves the box. If the box is in the archive vault, the manager must first request its retrieval (rehydration), which takes up to 15 hours. The warehouse also offers different service levels: Standard (general purpose) and Premium (faster, for high-performance needs). The warehouse can automatically move boxes between shelves based on access patterns (lifecycle management). Access to the warehouse is controlled by keys (account keys) or signed passes (SAS tokens). This system ensures efficient storage and retrieval at the lowest cost.
What is Azure Blob Storage?
Azure Blob Storage is Microsoft's object storage solution for the cloud. It is optimized for storing massive amounts of unstructured data, such as text or binary data. Blob storage is ideal for serving images or documents directly to a browser, storing files for distributed access, streaming video and audio, storing data for backup and restore, disaster recovery, and archiving, and storing data for analysis by an on-premises or Azure-hosted service.
Blob Storage Architecture
Blob storage consists of three components: a storage account, containers, and blobs. A storage account provides a unique namespace for your data. Every object in Azure Storage has a URL address that includes the storage account name. For example, https://mystorageaccount.blob.core.windows.net. Containers are similar to directories in a file system, organizing a set of blobs. A container can contain any number of blobs, and a storage account can contain any number of containers, up to 500 TB total capacity. Blobs are the actual data objects. There are three types of blobs: Block blobs (for text and binary data, up to ~4.75 TB), Append blobs (optimized for append operations, like logging), and Page blobs (for random read/write operations, up to 8 TB, used for VHDs).
How Blob Storage Works Internally
When you upload a blob, Azure Storage splits the data into blocks (for block blobs) or pages (for page blobs). Each block is identified by a block ID. The client sends the blocks individually or in parallel. After all blocks are uploaded, the client commits the blob by sending a list of block IDs in order. Azure Storage then assembles the blob from these blocks. For read operations, the client requests the blob by its URL, and Azure Storage returns the entire blob or a range of bytes. Blob storage uses a flat namespace, but you can simulate a hierarchical structure by using a naming convention with forward slashes (e.g., container/folder1/subfolder2/blob.txt).
Key Components and Defaults
Storage account types: General-purpose v2 (GPv2) is the primary account type for blob storage. It supports all storage services and the latest features. Blob storage accounts are legacy and not recommended. Block blob storage accounts offer premium performance for block blobs and append blobs.
Access tiers: Hot (optimized for frequent access), Cool (optimized for infrequent access, stored for at least 30 days), and Archive (optimized for rarely accessed data, stored for at least 180 days). Tiers can be set at the blob level or inherited from the account default.
Replication: LRS (locally redundant storage, 3 copies within a single datacenter), ZRS (zone-redundant storage, 3 copies across availability zones), GRS (geo-redundant storage, LRS in primary region + LRS in secondary region), RA-GRS (read-access geo-redundant storage, read access to secondary region).
URIs: Blob endpoint: https://<storage-account>.blob.core.windows.net. Container URI: https://<storage-account>.blob.core.windows.net/<container>. Blob URI: https://<storage-account>.blob.core.windows.net/<container>/<blob>.
Default timeout: The server timeout for blob operations is 30 seconds for most operations. You can set a client-side timeout.
Configuration and Verification Commands
Using Azure CLI:
# Create a storage account
az storage account create --name mystorageaccount --resource-group myResourceGroup --location eastus --sku Standard_LRS --kind StorageV2
# Create a container
az storage container create --name mycontainer --account-name mystorageaccount --auth-mode login
# Upload a blob
az storage blob upload --container-name mycontainer --file myfile.txt --name myblob.txt --account-name mystorageaccount --auth-mode login
# List blobs
az storage blob list --container-name mycontainer --account-name mystorageaccount --auth-mode login --query "[].{name:name}"
# Set blob tier
az storage blob set-tier --container-name mycontainer --name myblob.txt --tier Cool --account-name mystorageaccount --auth-mode loginUsing Azure PowerShell:
# Create a storage account
New-AzStorageAccount -ResourceGroupName myResourceGroup -Name mystorageaccount -Location eastus -SkuName Standard_LRS -Kind StorageV2
# Create a container
New-AzStorageContainer -Name mycontainer -Context (Get-AzStorageAccount -ResourceGroupName myResourceGroup -Name mystorageaccount).Context
# Upload a blob
Set-AzStorageBlobContent -Container mycontainer -File myfile.txt -Blob myblob.txt -Context (Get-AzStorageAccount -ResourceGroupName myResourceGroup -Name mystorageaccount).Context
# List blobs
Get-AzStorageBlob -Container mycontainer -Context (Get-AzStorageAccount -ResourceGroupName myResourceGroup -Name mystorageaccount).ContextInteraction with Related Technologies
Azure CDN: Blob storage can be integrated with Azure CDN to cache blobs at edge locations for faster delivery.
Azure Functions: Blob storage triggers allow functions to run when blobs are created or updated.
Azure Event Grid: Blob storage events (e.g., BlobCreated, BlobDeleted) can be published to Event Grid for event-driven architectures.
Azure Data Lake Storage Gen2: Built on blob storage, it adds a hierarchical namespace and POSIX-like access control for big data analytics.
Soft delete: Protects blobs from accidental deletion by retaining deleted blobs for a specified retention period (default 7 days).
Immutable storage: WORM (Write Once, Read Many) policy for compliance, with legal hold and time-based retention.
Performance Considerations
Block blob performance: Use multiple concurrent connections (parallelism) to upload large blobs. The Azure Storage client library automatically manages parallelism. For large blobs (over 256 MB), use the Put Block and Put Block List APIs.
Scalability targets: A single blob can sustain up to 60 MB/s for reads and writes. A general-purpose v2 storage account can handle up to 20,000 IOPS for blobs.
Optimizing access: Use Azure Premium Blob Storage (BlockBlobStorage) for low latency and high throughput. Use Azure NetApp Files or Azure Files for SMB/NFS access if needed.
Security
Authentication: Shared Key (account key), Shared Access Signature (SAS), Azure AD (RBAC), and managed identities.
Encryption: All data is encrypted at rest using Storage Service Encryption (SSE). Encryption in transit is enforced via HTTPS. Client-side encryption is also supported.
Firewalls and virtual networks: Restrict access to specific IP addresses or virtual networks.
Lifecycle Management
You can define rules to automatically move blobs to a cooler tier or delete them after a specified number of days. For example:
{
"rules": [
{
"enabled": true,
"name": "moveToCool",
"type": "Lifecycle",
"definition": {
"actions": {
"baseBlob": {
"tierToCool": { "daysAfterModificationGreaterThan": 30 },
"tierToArchive": { "daysAfterModificationGreaterThan": 90 },
"delete": { "daysAfterModificationGreaterThan": 2555 }
}
},
"filters": {
"blobTypes": ["blockBlob"],
"prefixMatch": ["logs/"]
}
}
}
]
}Monitoring and Logging
Azure Monitor: Metrics (Blob Capacity, Blob Count, Transactions, Ingress, Egress) and diagnostic logs (StorageRead, StorageWrite, StorageDelete).
Storage Analytics: Classic metrics and logs, now deprecated in favor of Azure Monitor.
Pricing
Pricing is based on storage capacity (GB/month), data access operations (read/write/list), data transfer (egress), and data retrieval (for Cool and Archive tiers). Archive tier has the lowest storage cost but high retrieval cost and latency.
Common Pitfalls
Using the wrong blob type: Block blobs are for streaming and random access; append blobs for logging; page blobs for VHDs.
Not setting access tier: Default is Hot, which may incur unnecessary costs for infrequently accessed data.
Misunderstanding SAS tokens: SAS tokens grant access to specific resources for a limited time. Overly permissive SAS tokens are a security risk.
Ignoring scalability limits: A single blob cannot exceed 4.75 TB (block blob) or 8 TB (page blob).
Code Examples
Upload a blob using .NET SDK:
string connectionString = "DefaultEndpointsProtocol=https;AccountName=mystorageaccount;AccountKey=...;EndpointSuffix=core.windows.net";
BlobServiceClient blobServiceClient = new BlobServiceClient(connectionString);
BlobContainerClient containerClient = blobServiceClient.GetBlobContainerClient("mycontainer");
BlobClient blobClient = containerClient.GetBlobClient("myblob.txt");
using FileStream uploadFileStream = File.OpenRead(@"C:\data\myfile.txt");
await blobClient.UploadAsync(uploadFileStream, true);
uploadFileStream.Close();Generate a SAS token for a blob:
BlobClient blobClient = new BlobClient(connectionString, "mycontainer", "myblob.txt");
BlobSasBuilder sasBuilder = new BlobSasBuilder()
{
BlobContainerName = "mycontainer",
BlobName = "myblob.txt",
Resource = "b", // b for blob, c for container
ExpiresOn = DateTimeOffset.UtcNow.AddHours(1)
};
sasBuilder.SetPermissions(BlobSasPermissions.Read);
string sasToken = sasBuilder.ToSasQueryParameters(new StorageSharedKeyCredential("mystorageaccount", accountKey)).ToString();
Uri blobUriWithSas = new Uri($"{blobClient.Uri}?{sasToken}");Summary
Azure Blob Storage is a scalable, secure, and cost-effective object storage solution. Understanding its architecture, access tiers, security features, and performance optimization is crucial for the AZ-204 exam. Practice using the Azure CLI, SDKs, and management tools to solidify your knowledge.
Create a Storage Account
First, you need an Azure subscription. Use the Azure portal, CLI, or PowerShell to create a general-purpose v2 storage account. Specify a globally unique name (3-24 characters, lowercase alphanumerics), resource group, location, performance tier (Standard or Premium), replication (LRS, GRS, etc.), and access tier (Hot or Cool). The storage account is the top-level namespace for all blob data. For example, `az storage account create --name myaccount --resource-group myrg --location eastus --sku Standard_LRS --kind StorageV2`.
Create a Container
Containers organize blobs. A container name must be lowercase, between 3-63 characters, and start with a letter or number. Use the CLI: `az storage container create --name mycontainer --account-name myaccount --auth-mode login`. The container has a public access level (private, blob, or container). Private means no anonymous access; blob allows anonymous read for blobs; container allows anonymous read for container metadata and blob list. For exam, remember that containers are not nested; they are flat.
Upload a Blob
Upload a file as a block blob. The blob name can include forward slashes to simulate a folder structure. Use CLI: `az storage blob upload --container-name mycontainer --file myfile.txt --name folder/myblob.txt --account-name myaccount --auth-mode login`. The blob inherits the access tier of the storage account unless specified. For large files, the SDK automatically splits into blocks and uploads in parallel. The maximum block size is 100 MB, and a block blob can have up to 50,000 blocks, giving a maximum blob size of ~4.75 TB.
Access the Blob
Blobs are accessible via their URL: `https://myaccount.blob.core.windows.net/mycontainer/folder/myblob.txt`. If the container is private, you need a SAS token or account key. For anonymous access, set the container's public access level. Use the Azure Storage Explorer or SDK to download. The download can be a full blob or a range of bytes. For large blobs, consider using Azure CDN for caching. The default server timeout for operations is 30 seconds; adjust client-side timeout if needed.
Manage Access with SAS
Shared Access Signatures (SAS) provide delegated access to blobs. A SAS token includes permissions (read, write, delete, list, etc.), start/expiry time, allowed IP addresses, and protocol. You can create a SAS at the account, container, or blob level. Use the CLI: `az storage blob generate-sas --container-name mycontainer --name myblob.txt --permissions r --expiry 2024-12-31T23:59:00Z --account-name myaccount --auth-mode login`. The SAS token is appended to the blob URL. Be careful: SAS tokens are like keys; anyone with the token can access the resource within the granted permissions.
Set Lifecycle Management Policy
Define rules to automatically transition blobs to cooler tiers or delete them based on age. For example, move blobs to Cool tier after 30 days, to Archive after 90 days, and delete after 365 days. Rules apply to block blobs and can filter by blob type, prefix, or blob index tags. Use the CLI: `az storage account management-policy create --account-name myaccount --resource-group myrg --policy @policy.json`. The policy is a JSON document. Lifecycle management helps optimize costs. Note that the Archive tier requires rehydration before reading, which can take up to 15 hours.
Enterprise Scenario 1: Media Streaming Platform
A video streaming service stores raw videos and processed MP4 files in Azure Blob Storage. They use Premium Block Blob Storage for low-latency access to popular content. They have a lifecycle policy that moves older content to Cool tier after 30 days and Archive after 90 days. They use Azure CDN to cache blobs at edge locations, reducing load on storage and improving user experience. They generate SAS tokens for temporary access to paid content. Misconfiguration: If they set the container public access level to 'container', anyone could list all blobs, leading to data exposure. They use Azure AD authentication for internal tools to avoid account key exposure.
Enterprise Scenario 2: Backup and Disaster Recovery
An enterprise uses Azure Blob Storage for backup of on-premises databases. They use RA-GRS replication to ensure data is available in a secondary region in case of a disaster. They enable soft delete with a retention period of 14 days to protect against accidental deletion. They use immutable storage with time-based retention for compliance. They use AzCopy for bulk transfers. Common issue: If the retention policy is not set correctly, data may be deleted prematurely. They monitor blob capacity and transaction metrics with Azure Monitor alerts.
Enterprise Scenario 3: Big Data Analytics with Data Lake Storage Gen2
A data analytics company uses Azure Data Lake Storage Gen2 (built on Blob Storage) for its data lake. They enable hierarchical namespace for efficient directory operations. They use ACLs for fine-grained access control. They store petabytes of data in Parquet format. They use lifecycle management to move cold data to Cool tier. Performance considerations: They use multiple concurrent connections to maximize throughput. Misconfiguration: If they forget to enable hierarchical namespace at account creation, they cannot use POSIX-like permissions. They must recreate the account to enable it.
AZ-204 Exam Focus on Azure Blob Storage
Objective Codes: This topic aligns with objective '2.2 - Develop for Azure Blob Storage'. Expect questions on:
Creating and managing storage accounts, containers, and blobs.
Configuring access tiers and lifecycle management.
Implementing shared access signatures (SAS) and stored access policies.
Using Azure AD for blob authentication.
Optimizing blob storage performance (parallelism, premium storage).
Handling blob storage events and triggers.
Common Wrong Answers: 1. Choosing Page Blobs for unstructured data: Many candidates incorrectly select page blobs for general file storage. Page blobs are for random read/write (VHDs). Block blobs are for files. 2. Assuming SAS tokens are permanent: SAS tokens have an expiry time. Candidates often forget to set or renew them, leading to access failures. 3. Confusing access tiers: Candidates mix up Cool and Archive. Archive has the lowest cost but requires rehydration (up to 15 hours). Cool is for infrequent access with immediate retrieval. 4. Misunderstanding replication: RA-GRS provides read access to the secondary region, but GRS does not. Candidates often think GRS allows reads.
Specific Numbers and Values:
Default soft delete retention: 7 days.
Maximum block blob size: ~4.75 TB (50,000 blocks * 100 MB).
Archive tier minimum retention: 180 days.
Cool tier minimum retention: 30 days.
SAS token expiry: maximum 1 hour from creation if not specified? Actually, no maximum, but best practice is short-lived.
Premium blob storage account type: BlockBlobStorage.
Edge Cases: - Immutable storage: Legal hold vs. time-based retention. Legal hold has no expiration; time-based retention has a fixed period. - Blob index tags: Can be used for lifecycle management filters, but only for block blobs in GPv2 accounts. - Soft delete for containers: Enabled separately from blob soft delete.
How to Eliminate Wrong Answers:
If the question mentions 'append logs', choose Append Blob.
If the question mentions 'high throughput for big data', consider Data Lake Storage Gen2.
If the question mentions 'compliance with WORM', look for Immutable Storage.
If the question mentions 'temporary access', look for SAS.
If the question mentions 'automatic tiering', look for Lifecycle Management.
Azure Blob Storage is object storage for unstructured data, accessed via HTTP/HTTPS.
Three blob types: Block (files), Append (logs), Page (VHDs).
Three access tiers: Hot, Cool, Archive. Archive requires rehydration (up to 15 hours).
Containers are flat; simulate folders with blob names.
SAS tokens provide delegated, time-limited access. Use stored access policies for easier management.
Lifecycle management automates tier transitions and deletions based on age.
Soft delete protects blobs from accidental deletion (default 7 days retention).
Immutable storage provides WORM compliance with legal hold or time-based retention.
Replication options: LRS, ZRS, GRS, RA-GRS. RA-GRS allows read access to secondary region.
Use Azure AD (RBAC) for authentication instead of account keys for better security.
Premium blob storage (BlockBlobStorage) offers low latency and high throughput.
Monitor blob storage with Azure Monitor metrics and diagnostic logs.
These come up on the exam all the time. Here's how to tell them apart.
Block Blob
Optimized for streaming and random access.
Maximum size ~4.75 TB.
Consists of blocks that are uploaded individually and committed.
Ideal for files, images, videos, backups.
Supports tiering (Hot, Cool, Archive).
Page Blob
Optimized for random read/write operations.
Maximum size 8 TB.
Consists of 512-byte pages.
Ideal for VHDs and Azure virtual machine disks.
Does not support tiering; always Hot.
Hot Tier
For data accessed frequently.
Higher storage cost, lower access cost.
No minimum retention period.
Immediate retrieval.
Default tier for new storage accounts.
Cool Tier
For data accessed infrequently (less than once a month).
Lower storage cost, higher access cost.
Minimum retention period of 30 days.
Immediate retrieval.
Good for short-term backup and disaster recovery.
Mistake
Blob storage containers can be nested like folders.
Correct
Containers are flat; they cannot contain other containers. Folder-like structure is simulated by using forward slashes in blob names (e.g., 'folder/subfolder/blob.txt').
Mistake
All blobs in a storage account share the same access tier.
Correct
Access tiers can be set at the blob level, overriding the account default. Each blob can be in Hot, Cool, or Archive independently.
Mistake
A SAS token grants access to all blobs in a container.
Correct
A SAS token can be scoped to a single blob, a container, or the entire account. The resource parameter ('b' for blob, 'c' for container) determines scope.
Mistake
GRS replication allows read access to the secondary region.
Correct
GRS does not provide read access to the secondary region unless you enable RA-GRS. GRS only replicates data for failover scenarios.
Mistake
Archive blobs can be read immediately after setting the tier.
Correct
Archive blobs are offline. To read them, you must first rehydrate them to Hot or Cool tier, which can take up to 15 hours.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Block blobs are optimized for streaming and storing files, with a maximum size of ~4.75 TB. They consist of blocks that are uploaded individually and then committed. Page blobs are optimized for random read/write operations, up to 8 TB, and are used for Azure VM disks. Page blobs are divided into 512-byte pages and support efficient random access. For the exam, remember that page blobs are for VHDs, block blobs for general file storage.
You can create a SAS using the Azure portal, CLI, PowerShell, or SDK. The SAS token includes permissions (read, write, delete, etc.), start and expiry times, and optionally allowed IP addresses and protocol. For example, using CLI: `az storage blob generate-sas --container-name mycontainer --name myblob.txt --permissions r --expiry 2024-12-31T23:59:00Z --account-name myaccount`. The SAS token is appended to the blob URL. Best practice is to use a stored access policy for easier revocation.
GRS (Geo-Redundant Storage) replicates data to a secondary region but does not allow read access to that secondary region unless a failover occurs. RA-GRS (Read-Access Geo-Redundant Storage) provides read access to the secondary region at all times. Both offer six copies of data (3 in primary, 3 in secondary). RA-GRS is useful for applications that need read access during normal operations.
Use Azure Blob Storage lifecycle management. Define a policy with a rule that sets `tierToCool` with `daysAfterModificationGreaterThan: 30`. Apply the policy to the storage account using CLI: `az storage account management-policy create`. The rule can filter by blob type (block blob) and prefix. Note: Lifecycle management applies only to block blobs in GPv2 and BlobStorage accounts.
The maximum size of a block blob is approximately 4.75 TB. This is because a block blob can have up to 50,000 blocks, and each block can be up to 100 MB in size (when using Put Block). For older API versions, the maximum block size was 4 MB, resulting in a 195 GB limit. Use the latest SDK for the larger limit.
Yes, Azure Blob Storage supports Azure AD authentication. You can assign RBAC roles (e.g., Storage Blob Data Reader) to users, groups, or managed identities. This is more secure than using account keys. When using Azure AD, you do not need to pass account keys or SAS tokens; the SDK will handle the OAuth 2.0 token acquisition.
Soft delete protects blobs and blob snapshots from accidental deletion. When enabled, deleted blobs are retained for a specified retention period (default 7 days, max 365 days). During this period, they can be undeleted. Enable it in the Azure portal under 'Data protection' or via CLI: `az storage blob service-properties delete-policy update --enable true --days-retained 14 --account-name myaccount`.
You've just covered Azure Blob Storage Development — now see how well it sticks with free AZ-204 practice questions. Full explanations included, no account needed.
Done with this chapter?