This chapter covers designing Azure storage solutions, a core domain in the AZ-305 exam. Storage questions account for approximately 15-20% of the exam, making it one of the most heavily tested areas. You will learn how to choose the right storage account type, replication strategy, access tier, and security controls to meet performance, availability, and cost requirements. Mastery of these concepts is essential for architecting resilient and cost-effective solutions on Azure.
Jump to a section
Imagine a city library system with multiple branches. Blob storage is like the general stacks where anyone can borrow books (unstructured data) by title. Disks are like personal lockers assigned to specific patrons (VMs) for their exclusive use. Files are like shared department folders with hierarchical organization and network access. Tables are like card catalogs with structured records that can be queried quickly. Queues are like inter-library loan request slots where messages wait to be processed. The library has a central catalog (Azure Storage Resource Provider) that tracks all branches (storage accounts), each with its own address (endpoint). Access is controlled by library cards (keys or Azure AD) and permissions (RBAC). Data is replicated across branches in the same city (LRS), across cities in the same region (GRS), or across regions (RA-GRS) for disaster recovery. The library's performance tiers (Standard vs. Premium) determine how fast books can be retrieved, with premium offering faster service for frequently accessed items. Just as a library optimizes shelf space and checkout rules, Azure Storage offers access tiers (Hot, Cool, Archive) to balance cost and availability. This analogy helps understand how different storage services coexist and are accessed through a unified management plane.
What is Azure Storage and Why It Exists
Azure Storage is Microsoft's cloud storage solution for modern data storage scenarios. It provides massively scalable, durable, and highly available storage for data such as text, binary data, messages, and structured records. Azure Storage is designed to be accessible from anywhere in the world via HTTP/HTTPS, and it supports a wide range of development frameworks. The core services include Blob Storage (for unstructured data), Azure Files (for managed file shares), Queue Storage (for message queuing), Table Storage (for NoSQL key-value storage), and Azure Disks (for VM persistent disks). Understanding when to use each service is critical for the AZ-305 exam.
How Azure Storage Works Internally
Azure Storage is built on a distributed storage system called the Storage Stamp. Each storage account is assigned to a storage stamp, which is a cluster of storage nodes. Data is replicated within the stamp according to the chosen redundancy option. The front-end layer (Front-End or FE) receives requests and routes them to the appropriate partition layer, which then directs to the correct storage node. The storage nodes use a log-structured merge tree (LSM) to efficiently write data. All data is encrypted at rest using Storage Service Encryption (SSE) with Microsoft-managed keys or customer-managed keys.
Key Components, Values, Defaults, and Timers
Storage Account Types: Standard general-purpose v2 (GPv2), Premium block blobs, Premium page blobs, Premium file shares, and BlobStorage (legacy). GPv2 is the default and supports all storage services except premium disks.
Replication Options: Locally Redundant Storage (LRS) – 3 copies within a single datacenter; Zone-Redundant Storage (ZRS) – 3 copies across availability zones; Geo-Redundant Storage (GRS) – LRS in primary region plus LRS in paired secondary region; Read-Access Geo-Redundant Storage (RA-GRS) – GRS with read access to secondary; Geo-Zone-Redundant Storage (GZRS) – ZRS in primary plus LRS in secondary; Read-Access Geo-Zone-Redundant Storage (RA-GZRS).
Performance Tiers: Standard (HDD-based) and Premium (SSD-based). Premium offers higher IOPS and throughput.
Access Tiers for Blob Storage: Hot (frequent access, higher storage cost, lower access cost), Cool (infrequent access, lower storage cost, higher access cost, 30-day minimum), Archive (offline, lowest storage cost, highest access cost, 180-day minimum, rehydration takes up to 15 hours).
Default Limits: Storage account capacity – 5 PiB total for standard accounts; maximum blob size – 4.75 TiB for block blobs (up to 190.7 TiB with large file shares enabled); maximum file share size – 100 TiB for premium, 5 PiB for standard with large file shares.
Timers: Blob lease duration – 15 to 60 seconds (infinite possible); SAS token expiry – up to 1 year from creation; soft delete retention – 1 to 365 days.
Configuration and Verification Commands
To create a storage account using Azure CLI:
az storage account create \
--name mystorageaccount \
--resource-group myResourceGroup \
--location eastus \
--sku Standard_GRS \
--kind StorageV2 \
--access-tier HotTo verify replication status:
az storage account show \
--name mystorageaccount \
--query 'sku.name'To list containers and blobs:
az storage container list --account-name mystorageaccount
az storage blob list --container-name mycontainer --account-name mystorageaccountHow Azure Storage Interacts with Related Technologies
Azure Virtual Machines: Use Azure Disks (page blobs) for OS and data disks. Unmanaged disks are deprecated; managed disks are recommended.
Azure App Service and Azure Functions: Can access blob and file storage via connection strings or managed identities.
Azure SQL Database and Cosmos DB: Use Azure Storage for backup storage and transaction log storage.
Azure Backup and Site Recovery: Store backup data in Recovery Services vaults, which use Azure Storage internally.
Azure CDN: Can cache blob storage content for faster delivery.
Azure Data Lake Storage Gen2: Built on Blob Storage with hierarchical namespace for big data analytics.
Azure Kubernetes Service (AKS): Uses Azure Disks for persistent volumes and Azure Files for shared volumes.
Replication Details and Durability
LRS: 11 nines durability (99.999999999%) over a given year.
ZRS: 12 nines durability.
GRS: 16 nines durability (99.99999999999999%).
RA-GRS: Same as GRS but with read access to secondary region.
GZRS: 16 nines durability with zone redundancy.
Failover: For GRS/RA-GRS, you can initiate a customer-managed failover to the secondary region if the primary becomes unavailable. This is a manual process and can take up to 1 hour to complete.
Security Features
Encryption at rest: Enabled by default for all storage accounts using SSE.
Encryption in transit: HTTPS required by default; can enforce minimum TLS version.
Firewalls and Virtual Networks: Restrict access to specific IP addresses or VNets.
Private Endpoints: Use private IP addresses from your VNet to access storage.
Shared Access Signatures (SAS): Delegate limited access to storage resources with specific permissions, expiry, and allowed IP addresses.
Azure AD Integration: Use Azure AD to authorize access to blob and queue storage (RBAC).
Customer-managed keys (CMK): Encrypt data with your own key stored in Azure Key Vault.
Azure Defender for Storage: Detect anomalous access patterns and potential threats.
Data Transfer Options
AzCopy: Command-line tool for copying data to/from Azure Storage.
Azure Storage Explorer: GUI tool for managing storage.
Azure Data Box: Physical device for offline data transfer (up to 80 TB).
Azure Import/Export Service: Ship hard drives to Azure.
Azure File Sync: Sync on-premises file servers with Azure Files.
Performance Considerations
Latency: Blob storage typical latency is single-digit milliseconds for hot tier; archive tier rehydration can take up to 15 hours.
IOPS and Throughput: Premium storage accounts provide higher IOPS and throughput. For example, a Premium block blob storage account can achieve up to 100,000 IOPS and 10 Gbps throughput.
Scalability: Storage accounts scale automatically; no manual partitioning required.
Caching: Azure CDN can improve read performance for frequently accessed blobs.
Cost Optimization
Choose the appropriate access tier based on data access patterns.
Use lifecycle management policies to automatically move blobs between tiers.
Use reserved capacity for predictable workloads.
Monitor costs with Azure Cost Management.
Exam Tips
Know the differences between LRS, ZRS, GRS, and RA-GRS.
Understand when to use Premium vs. Standard performance.
Remember the minimum retention periods for Cool (30 days) and Archive (180 days).
Be familiar with the capabilities of each storage account kind (StorageV2, BlobStorage, etc.).
Know that Azure Files supports SMB 3.0 and NFS 4.1.
Understand that Azure managed disks are page blobs and that unmanaged disks are legacy.
Choose Storage Account Type
First, determine the workload requirements. For general-purpose workloads (blobs, files, queues, tables), select Standard general-purpose v2 (StorageV2). For high-performance block blob workloads (e.g., IoT telemetry), use Premium block blobs. For low-latency page blobs (VMs), use Premium page blobs. For high-performance file shares, use Premium file shares. The account type determines available features and pricing. For the AZ-305 exam, know that StorageV2 is the default and supports all features.
Select Replication Strategy
Based on durability and availability requirements, choose a replication option. LRS provides 11 nines durability within a single datacenter. ZRS offers 12 nines across availability zones. GRS provides 16 nines by replicating to a paired region. RA-GRS adds read access to the secondary region. GZRS combines zone redundancy with geo-redundancy. For the exam, remember that GRS and RA-GRS involve a failover delay of up to 1 hour, and RA-GRS allows reading from the secondary during an outage.
Configure Access Tier for Blobs
For blob storage, set the default access tier (Hot, Cool, or Archive) at the storage account level or per blob. Hot tier is for data accessed frequently; Cool tier for infrequently accessed data with a 30-day minimum; Archive tier for rarely accessed data with a 180-day minimum and rehydration cost. Use lifecycle management policies to automatically move blobs between tiers based on age. The exam tests the minimum retention periods and that Archive blobs must be rehydrated before reading.
Implement Security Controls
Enable encryption at rest (SSE) which is default. Require HTTPS and enforce minimum TLS version. Configure firewalls to restrict access by IP or VNet. Use private endpoints for secure access from VNets. Implement Azure AD authentication for blobs and queues. Generate SAS tokens for delegated access with specific permissions and expiry. Use customer-managed keys if required. For the exam, know that Azure AD integration is available for blobs and queues, not for files or tables.
Set Up Data Protection
Enable soft delete for blobs (retention period 1-365 days) to recover deleted data. Enable versioning to keep previous versions of blobs. Enable point-in-time restore for block blobs (requires soft delete and change feed). For Azure Files, enable soft delete for file shares (1-365 days). Configure immutable storage with legal hold or time-based retention policies for compliance. The exam tests that soft delete is disabled by default and must be enabled.
Enterprise Scenario 1: Media Streaming Platform
A media company needs to store and serve video files to millions of users globally. They use Azure Blob Storage with Premium block blobs for low-latency streaming. They choose RA-GZRS replication to ensure high availability and read access from a secondary region during outages. They use Azure CDN to cache content at edge locations. They implement lifecycle policies to move older content to Cool tier after 30 days and Archive tier after 365 days. They use SAS tokens with expiry for secure access. Performance: They achieve 100,000 IOPS and 10 Gbps throughput. Misconfiguration: If they use Standard instead of Premium, latency increases and user experience degrades.
Enterprise Scenario 2: Enterprise File Sharing
A global enterprise needs to replace on-premises file servers with a cloud solution. They deploy Azure Files with Premium file shares for low-latency access. They use Azure File Sync to sync on-premises Windows Servers with cloud shares. They configure identity-based access using Azure AD Domain Services. They enable soft delete for file shares with a 14-day retention. They use Private Endpoints to secure access from VNets. Performance: Premium shares provide up to 100,000 IOPS per share. Misconfiguration: If they use Standard instead of Premium, IOPS may be insufficient for heavy workloads.
Enterprise Scenario 3: IoT Data Ingestion
A manufacturing company collects sensor data from thousands of devices. They use Queue Storage to buffer incoming messages and Blob Storage (Cool tier) to store raw data. They use Azure Functions to process messages and write to blob. They use LRS replication because data is transient and can be regenerated. They use SAS tokens for device authentication. Performance: Queues handle millions of messages per day. Misconfiguration: If they use GRS, unnecessary cost and complexity; if they use Hot tier, storage cost increases.
Common Pitfalls
Choosing GRS for transient data that can be regenerated.
Not enabling soft delete, leading to permanent data loss.
Using Standard performance for latency-sensitive workloads.
Not setting lifecycle policies, causing high storage costs.
Misconfiguring network firewalls, blocking legitimate access.
What AZ-305 Tests on This Topic
The AZ-305 exam objective 'Design Azure Storage Solutions' (2.1) focuses on selecting appropriate storage services, replication strategies, access tiers, and security controls. Key sub-objectives include:
Choose a storage account type based on workload (Blob, Files, Disks, etc.)
Select a replication strategy (LRS, ZRS, GRS, RA-GRS, GZRS, RA-GZRS)
Determine blob access tiers (Hot, Cool, Archive)
Design for data protection (soft delete, versioning, immutable storage)
Implement security (encryption, firewalls, private endpoints, SAS, Azure AD)
Common Wrong Answers and Why Candidates Choose Them
Choosing GRS for all scenarios: Candidates often think GRS is always best for high availability, but it adds cost and failover delay. For transient data or data that can be regenerated, LRS is sufficient.
Selecting Archive tier for data accessed monthly: Archive tier has a 180-day minimum and high rehydration cost. Cool tier is more cost-effective for monthly access.
Enabling Azure AD authentication for all storage services: Azure AD integration is only available for blobs and queues, not files or tables. Candidates may incorrectly assume it works for all.
Using Standard performance for VM disks: VM disks require Premium page blobs for consistent performance. Standard is acceptable for test/dev but not production.
Specific Numbers and Terms That Appear on the Exam
LRS: 11 nines durability
GRS: 16 nines durability
Cool tier minimum: 30 days
Archive tier minimum: 180 days
Rehydration time: up to 15 hours
Soft delete retention: 1-365 days
Maximum blob size: 4.75 TiB (block blobs), 190.7 TiB with large file shares
Maximum storage account capacity: 5 PiB
Premium block blob IOPS: up to 100,000
Edge Cases and Exceptions
RA-GRS vs. GRS: RA-GRS allows read access to secondary region during an outage, but write operations are not supported until failover.
GZRS vs. ZRS: GZRS provides geo-redundancy with zone redundancy in primary region; ZRS only provides zone redundancy.
Immutable storage: Can be configured with time-based retention (WORM) or legal hold. Cannot be removed once locked.
Large file shares: Standard file shares can be increased to 100 TiB by enabling large file shares feature (not available in all regions).
How to Eliminate Wrong Answers
If the scenario mentions 'transient data that can be regenerated', eliminate GRS/RA-GRS and choose LRS.
If the scenario mentions 'compliance requirement to prevent deletion', look for immutable storage with legal hold.
If the scenario mentions 'lowest cost for data accessed once a year', choose Archive tier but be aware of rehydration cost and time.
If the scenario mentions 'shared access across multiple VMs', choose Azure Files (SMB) or NetApp Files (NFS).
Azure Storage account types: StorageV2 is the default; Premium block blobs for high-performance; Premium page blobs for VMs; Premium file shares for low-latency file shares.
Replication options: LRS (11 nines), ZRS (12 nines), GRS (16 nines), RA-GRS (read access to secondary), GZRS, RA-GZRS.
Blob access tiers: Hot (frequent), Cool (30-day min), Archive (180-day min, rehydration up to 15 hours).
Soft delete: Must be enabled; retention 1-365 days.
Azure AD authentication is available only for Blob and Queue storage.
Immutable storage: Time-based retention (WORM) or legal hold; cannot be removed once locked.
Maximum blob size: 4.75 TiB (block blobs), up to 190.7 TiB with large file shares.
Premium block blob storage accounts provide up to 100,000 IOPS and 10 Gbps throughput.
Customer-managed failover for GRS can take up to 1 hour.
Lifecycle management policies can automatically move blobs between tiers based on age.
These come up on the exam all the time. Here's how to tell them apart.
Standard General-Purpose v2 (StorageV2)
Supports blobs, files, queues, and tables.
Lower cost per GB but lower IOPS/throughput.
Suitable for most general-purpose workloads.
Default access tier can be Hot, Cool, or Archive.
Maximum storage account capacity 5 PiB.
Premium Block Blobs
Supports only block blobs (no files, queues, tables).
Higher cost per GB but higher IOPS/throughput (up to 100,000 IOPS).
Suitable for high-performance workloads like streaming or IoT.
Access tier is always Hot (no Cool or Archive).
Maximum storage account capacity 100 TiB.
Mistake
Azure Storage replicates data to a secondary region automatically without any manual action.
Correct
Only GRS, RA-GRS, GZRS, and RA-GZRS replicate to a secondary region. LRS and ZRS do not. For GRS, failover is manual and can take up to 1 hour.
Mistake
Archive tier blobs can be read immediately after moving to Archive.
Correct
Archive blobs are offline and must be rehydrated to Hot or Cool before reading. Rehydration can take up to 15 hours.
Mistake
All Azure Storage services support Azure AD authentication.
Correct
Azure AD authentication is supported only for Blob and Queue storage. Files and Tables do not support Azure AD authentication.
Mistake
Soft delete for blobs is enabled by default.
Correct
Soft delete is disabled by default. You must explicitly enable it and set a retention period (1-365 days).
Mistake
You can change the replication type of a storage account after creation without downtime.
Correct
Changing replication type (e.g., LRS to GRS) triggers a background conversion that may take time but does not cause downtime. However, some conversions require manual steps (e.g., from LRS to ZRS is not supported directly; you must create a new account).
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
LRS replicates data three times within a single datacenter (11 nines durability). ZRS replicates across three availability zones in the same region (12 nines). GRS replicates to a paired secondary region (16 nines) but does not allow read access until failover. RA-GRS is the same as GRS but allows read access to the secondary region at all times. For the exam, remember that RA-GRS provides read access during an outage, while GRS does not.
Use Azure Files when you need SMB or NFS file shares that can be mounted by multiple VMs or on-premises servers. Use Blob Storage for unstructured data like images, videos, backups, and logs. Azure Files is ideal for lift-and-shift of file servers, while Blob Storage is better for scalable object storage.
Hot tier is for data accessed frequently (cost higher per GB, lower per access). Cool tier is for data accessed infrequently (lower per GB, higher per access, 30-day minimum). Archive tier is for rarely accessed data (lowest per GB, highest per access, 180-day minimum, rehydration up to 15 hours). Use lifecycle policies to automate tier transitions based on age.
Yes, you can change from LRS to GRS or RA-GRS and vice versa. However, changing to ZRS or GZRS is not supported directly; you must create a new storage account with the desired replication. Conversions are performed in the background and do not cause downtime.
Managed disks are the newer recommendation. They simplify disk management by handling storage account creation and scaling automatically. Unmanaged disks require you to manage storage accounts and are limited to a maximum of 40 disks per storage account. For the exam, always choose managed disks.
Enable encryption at rest (default). Require HTTPS. Configure firewalls to restrict IP addresses or VNets. Use private endpoints for private IP access. Use Azure AD authentication for blobs and queues. Use SAS tokens for delegated access. Enable Azure Defender for Storage for threat detection.
For block blobs, the maximum size is 4.75 TiB (with block blob max of 100 MB per block and 50,000 blocks). With large file shares enabled, block blobs can be up to 190.7 TiB. Page blobs are up to 8 TiB. Append blobs are up to 195 GB.
You've just covered Designing Azure Storage Solutions — now see how well it sticks with free AZ-305 practice questions. Full explanations included, no account needed.
Done with this chapter?