Friday, 31 May 2024

Create an Azure storage account

Create an Azure storage account

Prerequisites

If you don't have an Azure subscription, create a free account before you begin.

Next, sign in to Azure.

Create a storage account

A storage account is an Azure Resource Manager resource. Resource Manager is the deployment and management service for Azure. For more information, see Azure Resource Manager overview.

Every Resource Manager resource, including an Azure storage account, must belong to an Azure resource group. A resource group is a logical container for grouping your Azure services. When you create a storage account, you have the option to either create a new resource group, or use an existing resource group. This how-to shows how to create a new resource group.

Storage account type parameters

When you create a storage account using PowerShell, the Azure CLI, Bicep, Azure Templates, or the Azure Developer CLI, the storage account type is specified by the kind parameter (for example, StorageV2). The performance tier and redundancy configuration are specified together by the sku or SkuName parameter (for example, Standard_GRS). The following table shows which values to use for the kind parameter and the sku or SkuName parameter to create a particular type of storage account with the desired redundancy configuration.

Type of storage accountSupported redundancy configurationsSupported values for the kind parameterSupported values for the sku or SkuName parameterSupports hierarchical namespace
Standard general-purpose v2LRS / GRS / RA-GRS / ZRS / GZRS / RA-GZRSStorageV2Standard_LRS / Standard_GRS / Standard_RAGRS/ Standard_ZRS / Standard_GZRS / Standard_RAGZRSYes
Premium block blobsLRS / ZRSBlockBlobStoragePremium_LRS / Premium_ZRSYes
Premium file sharesLRS / ZRSFileStoragePremium_LRS / Premium_ZRSNo
Premium page blobsLRSStorageV2Premium_LRSNo
Legacy standard general-purpose v1LRS / GRS / RA-GRSStorageStandard_LRS / Standard_GRS / Standard_RAGRSNo
Legacy blob storageLRS / GRS / RA-GRSBlobStorageStandard_LRS / Standard_GRS / Standard_RAGRSNo

To create an Azure storage account with the Azure portal, follow these steps:

  1. From the left portal menu, select Storage accounts to display a list of your storage accounts. If the portal menu isn't visible, select the menu button to toggle it on.

    Image of the Azure portal homepage showing the location of the Menu button near the top left corner of the browser.

  2. On the Storage accounts page, select Create.

    Image showing the location of the create button within the Azure portal Storage Accounts page.

Options for your new storage account are organized into tabs in the Create a storage account page. The following sections describe each of the tabs and their options.

Basics tab

On the Basics tab, provide the essential information for your storage account. After you complete the Basics tab, you can choose to further customize your new storage account by setting options on the other tabs, or you can select Review + create to accept the default options and proceed to validate and create the account.

The following table describes the fields on the Basics tab


SectionFieldRequired or optionalDescription
Project detailsSubscriptionRequiredSelect the subscription for the new storage account.
Project detailsResource groupRequiredCreate a new resource group for this storage account, or select an existing one. For more information, see Resource groups.
Instance detailsStorage account nameRequiredChoose a unique name for your storage account. Storage account names must be between 3 and 24 characters in length and might contain numbers and lowercase letters only.
Instance detailsRegionRequiredSelect the appropriate region for your storage account. For more information, see Regions and Availability Zones in Azure.

Not all regions are supported for all types of storage accounts or redundancy configurations. For more information, see Azure Storage redundancy.

The choice of region can have a billing impact. For more information, see Storage account billing.

If your subscription supports Azure public multi-access edge zones (Azure MEC), you can deploy your storage account to an edge zone. For more information about edge zones, see What is Azure public MEC?.
Instance detailsPerformanceRequiredSelect Standard performance for general-purpose v2 storage accounts (default). This type of account is recommended by Microsoft for most scenarios. For more information, see Types of storage accounts.

Select Premium for scenarios requiring low latency. After selecting Premium, select the type of premium storage account to create. The following types of premium storage accounts are available:
Instance detailsRedundancyRequiredSelect your desired redundancy configuration. Not all redundancy options are available for all types of storage accounts in all regions. For more information about redundancy configurations, see Azure Storage redundancy.

If you select a geo-redundant configuration (GRS or GZRS), your data is replicated to a data center in a different region. For read access to data in the secondary region, select Make read access to data available in the event of regional unavailability.

The following image shows a standard configuration of the basic properties for a new storage account.

Screenshot showing a standard configuration for a new storage account - Basics tab.

Advanced tab

On the Advanced tab, you can configure additional options and modify default settings for your new storage account. Some of these options can also be configured after the storage account is created, while others must be configured at the time of creation.

The following table describes the fields on the Advanced tab.


SectionFieldRequired or optionalDescription
SecurityRequire secure transfer for REST API operationsOptionalRequire secure transfer to ensure that incoming requests to this storage account are made only via HTTPS (default). Recommended for optimal security. For more information, see Require secure transfer to ensure secure connections.
SecurityAllow enabling anonymous access on individual containersOptionalWhen enabled, this setting allows a user with the appropriate permissions to enable anonymous access to a container in the storage account (default). Disabling this setting prevents all anonymous access to the storage account. Microsoft recommends disabling this setting for optimal security.

For more information, see Prevent anonymous read access to containers and blobs.

Enabling anonymous access does not make blob data available for anonymous access unless the user takes the additional step to explicitly configure the container's anonymous access setting.
SecurityEnable storage account key accessOptionalWhen enabled, this setting allows clients to authorize requests to the storage account using either the account access keys or a Microsoft Entra account (default). Disabling this setting prevents authorization with the account access keys. For more information, see Prevent Shared Key authorization for an Azure Storage account.
SecurityDefault to Microsoft Entra authorization in the Azure portalOptionalWhen enabled, the Azure portal authorizes data operations with the user's Microsoft Entra credentials by default. If the user does not have the appropriate permissions assigned via Azure role-based access control (Azure RBAC) to perform data operations, then the portal will use the account access keys for data access instead. The user can also choose to switch to using the account access keys. For more information, see Default to Microsoft Entra authorization in the Azure portal.
SecurityMinimum TLS versionRequiredSelect the minimum version of Transport Layer Security (TLS) for incoming requests to the storage account. The default value is TLS version 1.2. When set to the default value, incoming requests made using TLS 1.0 or TLS 1.1 are rejected. For more information, see Enforce a minimum required version of Transport Layer Security (TLS) for requests to a storage account.
SecurityPermitted scope for copy operations (preview)RequiredSelect the scope of storage accounts from which data can be copied to the new account. The default value is From any storage account. When set to the default value, users with the appropriate permissions can copy data from any storage account to the new account.

Select From storage accounts in the same Azure AD tenant to only allow copy operations from storage accounts within the same Microsoft Entra tenant.
Select From storage accounts that have a private endpoint to the same virtual network to only allow copy operations from storage accounts with private endpoints on the same virtual network.

For more information, see Restrict the source of copy operations to a storage account.
Data Lake Storage Gen2Enable hierarchical namespaceOptionalTo use this storage account for Azure Data Lake Storage Gen2 workloads, configure a hierarchical namespace. For more information, see Introduction to Azure Data Lake Storage Gen2.
Blob storageEnable SFTPOptionalEnable the use of Secure File Transfer Protocol (SFTP) to securely transfer of data over the internet. For more information, see Secure File Transfer (SFTP) protocol support in Azure Blob Storage.
Blob storageEnable network file system (NFS) v3OptionalNFS v3 provides Linux file system compatibility at object storage scale enables Linux clients to mount a container in Blob storage from an Azure Virtual Machine (VM) or a computer on-premises. For more information, see Network File System (NFS) 3.0 protocol support in Azure Blob Storage.
Blob storageAllow cross-tenant replicationRequiredBy default, users with appropriate permissions can configure object replication across Microsoft Entra tenants. To prevent replication across tenants, deselect this option. For more information, see Prevent replication across Microsoft Entra tenants.
Blob storageAccess tierRequiredBlob access tiers enable you to store blob data in the most cost-effective manner, based on usage. Select the hot tier (default) for frequently accessed data. Select the cool tier for infrequently accessed data. For more information, see Hot, Cool, and Archive access tiers for blob data.

The following image shows a standard configuration of the advanced properties for a new storage account.

Screenshot showing a standard configuration for a new storage account - Advanced tab.

Networking tab

On the Networking tab, you can configure network connectivity and routing preference settings for your new storage account. These options can also be configured after the storage account is created.

The following table describes the fields on the Networking tab.


SectionFieldRequired or optionalDescription
Network connectivityNetwork accessRequiredBy default, incoming network traffic is routed to the public endpoint for your storage account. You can specify that traffic must be routed to the public endpoint through an Azure virtual network. You can also configure private endpoints for your storage account. For more information, see Use private endpoints for Azure Storage.
Network connectivityEndpoint typeRequiredAzure Storage supports two types of endpoints: standard endpoints (the default) and Azure DNS zone endpoints (preview). Within a given subscription, you can create up to 2501 accounts with standard endpoints per region, and up to 5000 accounts with Azure DNS zone endpoints per region, for a total of 5250 storage accounts. To register for the preview, see About the preview.
Network routingRouting preferenceRequiredThe network routing preference specifies how network traffic is routed to the public endpoint of your storage account from clients over the internet. By default, a new storage account uses Microsoft network routing. You can also choose to route network traffic through the POP closest to the storage account, which might lower networking costs. For more information, see Network routing preference for Azure Storage.

1With a quota increase, you can create up to 500 storage accounts with standard endpoints per region in a given subscription, for a total of 5500 storage accounts per region. For more information, see Increase Azure Storage account quotas.

The following image shows a standard configuration of the networking properties for a new storage account.

Screenshot showing a standard configuration for a new storage account - Networking tab.

 Important

Azure DNS zone endpoints are currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Data protection tab

On the Data protection tab, you can configure data protection options for blob data in your new storage account. These options can also be configured after the storage account is created. For an overview of data protection options in Azure Storage, see Data protection overview.

The following table describes the fields on the Data protection tab.


SectionFieldRequired or optionalDescription
RecoveryEnable point-in-time restore for containersOptionalPoint-in-time restore provides protection against accidental deletion or corruption by enabling you to restore block blob data to an earlier state. For more information, see Point-in-time restore for block blobs.

Enabling point-in-time restore also enables blob versioning, blob soft delete, and blob change feed. These prerequisite features might have a cost impact. For more information, see Pricing and billing for point-in-time restore.
RecoveryEnable soft delete for blobsOptionalBlob soft delete protects an individual blob, snapshot, or version from accidental deletes or overwrites by maintaining the deleted data in the system for a specified retention period. During the retention period, you can restore a soft-deleted object to its state at the time it was deleted. For more information, see Soft delete for blobs.

Microsoft recommends enabling blob soft delete for your storage accounts and setting a minimum retention period of seven days.
RecoveryEnable soft delete for containersOptionalContainer soft delete protects a container and its contents from accidental deletes by maintaining the deleted data in the system for a specified retention period. During the retention period, you can restore a soft-deleted container to its state at the time it was deleted. For more information, see Soft delete for containers.

Microsoft recommends enabling container soft delete for your storage accounts and setting a minimum retention period of seven days.
RecoveryEnable soft delete for file sharesOptionalSoft delete for file shares protects a file share and its contents from accidental deletes by maintaining the deleted data in the system for a specified retention period. During the retention period, you can restore a soft-deleted file share to its state at the time it was deleted. For more information, see Prevent accidental deletion of Azure file shares.

Microsoft recommends enabling soft delete for file shares for Azure Files workloads and setting a minimum retention period of seven days.
TrackingEnable versioning for blobsOptionalBlob versioning automatically saves the state of a blob in a previous version when the blob is overwritten. For more information, see Blob versioning.

Microsoft recommends enabling blob versioning for optimal data protection for the storage account.
TrackingEnable blob change feedOptionalThe blob change feed provides transaction logs of all changes to all blobs in your storage account, as well as to their metadata. For more information, see Change feed support in Azure Blob Storage.
Access controlEnable version-level immutability supportOptionalEnable support for immutability policies that are scoped to the blob version. If this option is selected, then after you create the storage account, you can configure a default time-based retention policy for the account or for the container, which blob versions within the account or container will inherit by default. For more information, see Enable version-level immutability support on a storage account.

The following image shows a standard configuration of the data protection properties for a new storage account.

Screenshot showing a standard configuration for a new storage account - Data Protection tab.

Encryption tab

On the Encryption tab, you can configure options that relate to how your data is encrypted when it is persisted to the cloud. Some of these options can be configured only when you create the storage account.


FieldRequired or optionalDescription
Encryption typeRequiredBy default, data in the storage account is encrypted by using Microsoft-managed keys. You can rely on Microsoft-managed keys for the encryption of your data, or you can manage encryption with your own keys. For more information, see Azure Storage encryption for data at rest.
Enable support for customer-managed keysRequiredBy default, customer managed keys can be used to encrypt only blobs and files. Set this option to All service types (blobs, files, tables, and queues) to enable support for customer-managed keys for all services. You are not required to use customer-managed keys if you choose this option. For more information, see Customer-managed keys for Azure Storage encryption.
Encryption keyRequired if Encryption type field is set to Customer-managed keys.If you choose Select a key vault and key, you are presented with the option to navigate to the key vault and key that you wish to use. If you choose Enter key from URI, then you are presented with a field to enter the key URI and the subscription.
User-assigned identityRequired if Encryption type field is set to Customer-managed keys.If you are configuring customer-managed keys at create time for the storage account, you must provide a user-assigned identity to use for authorizing access to the key vault.
Enable infrastructure encryptionOptionalBy default, infrastructure encryption is not enabled. Enable infrastructure encryption to encrypt your data at both the service level and the infrastructure level. For more information, see Create a storage account with infrastructure encryption enabled for double encryption of data.

The following image shows a standard configuration of the encryption properties for a new storage account.

Screenshot showing a standard configuration for a new storage account - Encryption tab.

Tags tab

On the Tags tab, you can specify Resource Manager tags to help organize your Azure resources. For more information, see Tag resources, resource groups, and subscriptions for logical organization.

The following image shows a standard configuration of the index tag properties for a new storage account.

Screenshot showing a standard configuration for a new storage account - Tags tab.

Review + create tab

When you navigate to the Review + create tab, Azure runs validation on the storage account settings that you have chosen. If validation passes, you can proceed to create the storage account.

If validation fails, then the portal indicates which settings need to be modified.

The following image shows the Review tab data prior to the creation of a new storage account.

Screenshot showing a standard configuration for a new storage account - Review tab.

Delete a storage account

Deleting a storage account deletes the entire account, including all data in the account. Be sure to back up any data you want to save before you delete the account.

Under certain circumstances, a deleted storage account might be recovered, but recovery is not guaranteed. For more information, see Recover a deleted storage account.

If you try to delete a storage account associated with an Azure virtual machine, you might get an error about the storage account still being in use. For help troubleshooting this error, see Troubleshoot errors when you delete storage accounts.

  1. Navigate to the storage account in the Azure portal.
  2. Select Delete.

No comments:

Post a Comment