You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Azure Storage Accounts
Azure Storage Accounts
An Azure Storage Account is the foundational resource for all Azure storage services. Every blob, file share, queue, and table lives inside a storage account. This lesson explains what storage accounts are, how to create them, the different account types and performance tiers, and the key configuration options you need to understand.
What Is a Storage Account?
A storage account provides a unique namespace in Azure for your data. Every object stored in Azure Storage has an address that includes your unique account name. The combination of the account name and the service endpoint forms the base URL for your storage objects.
Endpoint Format
| Service | Endpoint |
|---|---|
| Blob Storage | https://<account>.blob.core.windows.net |
| Azure Files | https://<account>.file.core.windows.net |
| Queue Storage | https://<account>.queue.core.windows.net |
| Table Storage | https://<account>.table.core.windows.net |
| Data Lake Storage Gen2 | https://<account>.dfs.core.windows.net |
The storage account name must be globally unique, between 3 and 24 characters, and contain only lowercase letters and numbers.
Storage Account Types
Azure offers several types of storage accounts, each supporting different features and pricing models.
| Type | Supported Services | Performance | Use Case |
|---|---|---|---|
| Standard general-purpose v2 | Blob, File, Queue, Table, Data Lake | Standard | Recommended default for most workloads |
| Premium block blobs | Block blobs only | Premium (SSD) | High transaction rates, low latency for blobs |
| Premium file shares | Azure Files only | Premium (SSD) | Enterprise file shares requiring high IOPS |
| Premium page blobs | Page blobs only | Premium (SSD) | VM disks (unmanaged), high-performance page blob access |
Best practice: Use Standard general-purpose v2 unless you have a specific performance requirement that demands a Premium account type.
Standard vs Premium Performance
| Feature | Standard | Premium |
|---|---|---|
| Backed by | HDD (magnetic) | SSD (solid-state) |
| Latency | Milliseconds | Single-digit milliseconds |
| IOPS | Lower | Much higher |
| Cost | Lower per GB | Higher per GB, lower per transaction |
| Redundancy options | LRS, ZRS, GRS, GZRS | LRS, ZRS only |
Creating a Storage Account
Azure Portal
- Navigate to Storage accounts in the Azure Portal
- Click + Create
- Select your subscription and resource group
- Enter a globally unique storage account name
- Choose a region, performance tier, and redundancy option
- Configure networking, data protection, and encryption settings
- Review and create
Azure CLI
# Create a standard general-purpose v2 storage account with LRS
az storage account create \
--name mystorageaccount2024 \
--resource-group rg-storage-demo \
--location uksouth \
--sku Standard_LRS \
--kind StorageV2
# Create a premium block blob storage account
az storage account create \
--name mypremiumblobs \
--resource-group rg-storage-demo \
--location uksouth \
--sku Premium_LRS \
--kind BlockBlobStorage
Bicep
resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = {
name: 'mystorageaccount2024'
location: 'uksouth'
sku: {
name: 'Standard_LRS'
}
kind: 'StorageV2'
properties: {
accessTier: 'Hot'
supportsHttpsTrafficOnly: true
minimumTlsVersion: 'TLS1_2'
}
}
Key Configuration Options
Access Tier (Default)
The default access tier applies to blobs that don't have an explicit tier set.
| Tier | Description |
|---|---|
| Hot | Optimised for frequent access. Higher storage cost, lower access cost. |
| Cool | Optimised for infrequent access (stored for at least 30 days). Lower storage cost, higher access cost. |
You set the default tier at the account level, but individual blobs can override this.
Secure Transfer Required
When enabled (recommended), the storage account only accepts requests over HTTPS and rejects any HTTP connections. This is enabled by default on new accounts.
Minimum TLS Version
Azure Storage supports TLS 1.0, 1.1, and 1.2. Best practice is to set the minimum to TLS 1.2 to ensure all connections use modern encryption.
Allow Blob Public Access
Controls whether containers in the storage account can be configured for anonymous public access. Best practice is to disable this unless you have a specific requirement for public blob access (such as hosting static website assets).
Hierarchical Namespace
Enabling the hierarchical namespace turns your storage account into an Azure Data Lake Storage Gen2 account. This enables file-system semantics (directories, POSIX permissions) on top of Blob Storage, making it ideal for big data analytics workloads.
Storage Account Keys and Connection Strings
Each storage account has two access keys that grant full control over the account. These keys are used to authorise requests and are included in connection strings.
# List storage account keys
az storage account keys list \
--account-name mystorageaccount2024 \
--resource-group rg-storage-demo
# Get the connection string
az storage account show-connection-string \
--name mystorageaccount2024 \
--resource-group rg-storage-demo
Key Rotation
Since account keys grant full access, you should:
- Never embed keys in source code — use Azure Key Vault or managed identities
- Rotate keys regularly — Azure provides two keys so you can rotate without downtime
- Prefer Entra ID authentication over shared keys for production workloads
The rotation process:
- Update applications to use Key 2
- Regenerate Key 1
- Update applications to use Key 1
- Regenerate Key 2
Resource Locks and Tags
Resource Locks
Apply locks to prevent accidental deletion or modification:
| Lock Type | Effect |
|---|---|
| Delete | Prevents deletion but allows modifications |
| ReadOnly | Prevents all changes (including writes to the storage account) |
Tags
Tags help organise and track costs:
az storage account update \
--name mystorageaccount2024 \
--resource-group rg-storage-demo \
--tags Environment=Production Team=DataPlatform CostCentre=CC-1234
Storage Account Limits
| Limit | Value |
|---|---|
| Max storage accounts per subscription per region | 250 |
| Max storage account capacity | 5 PiB |
| Max number of blob containers, blobs, file shares, tables, queues | No limit |
| Max request rate per storage account | 20,000 requests per second |
| Max ingress (per account, in most regions) | 10 Gbps |
| Max egress (per account, in most regions) | 50 Gbps |
Summary
An Azure Storage Account is the entry point for all Azure storage services. Standard general-purpose v2 is the recommended default. Premium accounts offer SSD-backed performance for demanding workloads. Key configuration options include access tier, secure transfer, TLS version, and hierarchical namespace. Always secure your account keys, prefer Entra ID authentication, and apply appropriate tags and resource locks. Next, we'll dive deep into Azure Blob Storage.