StorageLesson 7 of 16

Blob Storage

Azure Blob Storage is massively scalable object storage for unstructured data — images, videos, backups, logs, static websites, and anything that doesn't fit a relational model.

Simple Explanation

Blob Storage is a giant filing cabinet in the cloud. You put files (blobs) into folders (containers). No file system, no path traversal — just a flat namespace with unlimited scale.

Hierarchy

Blob Storage Structure

Storage Account

mystorageacct

Container

images

backups

logs

Blob

profile.jpg

2024-01.sql.gz

app.log

Blob Types

Type	Purpose	When to Use
Block Blob	Optimized for large uploads (chunked)	Images, videos, documents, backups (most common)
Append Blob	Append-only operations	Log files, audit trails, streaming data
Page Blob	Random read/write (managed disk backing)	Azure VM disks, VHDs

Access Tiers

Tier	Access Frequency	Storage Cost	Retrieval Cost
Hot	Frequently accessed	Higher	Lower
Cool	Infrequently (30+ days)	Lower	Higher
Cold	Rarely (90+ days)	Even lower	Higher
Archive	Long-term archival (180+ days)	Lowest	Highest (hours to rehydrate)

Access Control

Use the least-privilege option for any given scenario:

Private container + RBAC: Authenticated users/apps via Entra ID — preferred approach.
SAS Token: Limited-scope, time-limited URL — good for clients that can't authenticate via Entra ID.
Public container: Anonymous read — only for truly public assets like static websites, public images.

Security Note

Never use a public container for sensitive files. Public containers expose all blobs to the internet without any authentication. Always use private containers with SAS tokens or RBAC for anything non-public.

Commands

Azure CLI

# Create a container
az storage container create \
  --account-name mystorageacct \
  --name images \
  --public-access off

# Upload a file
az storage blob upload \
  --account-name mystorageacct \
  --container-name images \
  --name profile.jpg \
  --file ./profile.jpg

# List blobs in container
az storage blob list \
  --account-name mystorageacct \
  --container-name images \
  --output table

# Download a blob
az storage blob download \
  --account-name mystorageacct \
  --container-name images \
  --name profile.jpg \
  --file ./downloaded.jpg

# Generate a SAS token (valid 1 hour, read-only)
az storage blob generate-sas \
  --account-name mystorageacct \
  --container-name images \
  --name profile.jpg \
  --permissions r \
  --expiry $(date -u -d '+1 hour' '+%Y-%m-%dT%H:%MZ') \
  --output tsv

# Change access tier (Cool → Archive)
az storage blob set-tier \
  --account-name mystorageacct \
  --container-name backups \
  --name old-backup.gz \
  --tier Archive

Lifecycle Management

Automate tier transitions and deletion to cut storage costs:

JSON (Lifecycle policy)

{
  "rules": [
    {
      "name": "move-to-cool-after-30d",
      "enabled": true,
      "type": "Lifecycle",
      "definition": {
        "filters": { "blobTypes": ["blockBlob"] },
        "actions": {
          "baseBlob": {
            "tierToCool": { "daysAfterModificationGreaterThan": 30 },
            "tierToArchive": { "daysAfterModificationGreaterThan": 90 },
            "delete": { "daysAfterModificationGreaterThan": 365 }
          }
        }
      }
    }
  ]
}

Hands-on

Create a private container called uploads.
Upload 3 files and list them with CLI.
Generate a SAS token valid for 10 minutes and access the file via URL.
Create a lifecycle policy to move blobs to Cool after 30 days.
Enable static website hosting and deploy an index.html.

Debugging Scenario

Issue: Application receives 403 Forbidden when accessing blobs.

Check if the container is private and the app uses a valid SAS token or has RBAC role (Storage Blob Data Reader/Contributor).
SAS token may be expired — regenerate with appropriate expiry.
Storage Account firewall may be blocking the app's IP or VNet.
Check that the storage account key hasn't been rotated without updating the app config.

Interview Questions

Beginner

What is a blob container?

A logical grouping within a Storage Account for organizing blobs, similar to a bucket in S3. It has its own access policy (private/public).

What is a SAS token?

A Shared Access Signature — a signed URL that grants limited, time-bound access to a specific blob or container without exposing the account key.

Scenario-based

You need to give a third-party vendor temporary read-only access to a specific blob for 24 hours.

Generate a SAS token with --permissions r and --expiry set to 24 hours. Send only the SAS URL. No credentials needed by the vendor.

Blobs older than 1 year are never accessed but you still need to keep them.

Set up a lifecycle management policy to move blobs to Archive tier after 365 days. Storage cost drops significantly (Archive is ~90% cheaper than Hot) with the trade-off of high retrieval cost and hours of rehydration time.

Summary

Blob Storage is the most-used Azure storage type. Use Block Blobs for files, private containers + RBAC for security, access tiers for cost optimization, and SAS tokens for temporary third-party access. Always avoid public containers for anything sensitive.

PreviousStorage Accounts NextFile Storage