Sie sind auf Seite 1von 26

Module 7

Storing and Consuming Files from

Azure Storage
Module Overview

Storage Blobs
Controlling Access to Storage Blobs and
Configuring Azure Storage Accounts
Azure Files
Lesson 1: Storage Blobs

Storage Blobs
Blob Types
REST API for Storage Blobs
Storage Blobs

You can use Blob storage to store large amounts

of unstructured text or binary data.
You can use Blob storage to store files such as:
Virtual hard disk drives
Log text files

You can use Blob storage to group blobs into

logical, hierarchical containers
You can secure blobs and make them available
for anonymous access
Storage Blobs (cont.)

Containers Blobs


videos VID04.mp4
Blob Types

There are two primary types of blobs:

Page Block
blobs blobs
Page Blobs

Page Blobs are a collection of 512-byte pages

Optimized for Random Access and Frequent Updates
Used as persistent disks for VMs in Azure.
Highly performant, durable and reliable
Can grow and shrink in size by adding or removing
Modifications of a page blob can overwrite one
or more pages.
Changes are in-place and immediately committed.
A page blob can be no larger than 1 TB.
Block Blobs

Block Blobs are comprised of a series of blocks

Blocks can be uploaded in parallel sets to speed up the
ingress of a large file.
You can use an MD5 hash to verify that each block is
uploaded successfully and retry failed blocks.
You can also track the progress of block upload.
While uploading, the blob is considered uncommitted.
When all blocks are uploaded, you can determine the order
and then commit the blob.
Block Blobs are optimized for multimedia
streaming scenarios.
Block Blobs can be no larger than 200 GB.
REST API for Storage Blobs

Blobs have the simplest of all of the Storage REST

POST, PUT, and DELETE is available on the same
You can access containers for operations by
using the restype query string parameter
You can append Shared Access Signature (SAS)
tokens to the end of a URL to access protected
Lesson 2: Controlling Access to Storage Blobs
and Containers

Container Permissions
Shared Access Signatures
Stored Access Policies
Generating Shared Access Signatures from Policies
Container Permissions

There are three levels of container access that are

Full public read access
Enumerate container blobs
Read individual blobs
Cannot enumerate containers
Public read access for blobs only
Read individual blobs
No public read access
No access to blobs, containers, or enumerating contents
Shared Access Signatures

A Shared Access Signature (SAS Token) is a URI

that grants access to a protected container, blob,
queue or table for a specific time interval.
Allows client application to access a resource without
using the storage account key.
Should only be used with secure (HTTPS) requests
Can be generated with the following components
Start Time
Expiry Time
Permission Levels (Read, Write, Delete, List, None)
Structure of a Shared Access Signature

]/[blob]?sv=[Storage Services Version]&?st=[Start
Stored Access Policies

Stored access policies allow you to have granular

control over a set of shared access signatures
The signature lifetime and permissions are stored in
the policy as opposed to the URL
You can modify the properties in the policy and the
changes are automatically propagated to all signatures
generated from the policy
You can also invalidated all signatures generated from
a policy
A Container, Queue or Table can have up to 5
Stored Access Policies
Generating Shared Access Signatures from
// Get a reference to the container
var container =

// Create blob container permissions

var blobPermissions = new BlobContainerPermissions();
blobPermissions.SharedAccessPolicies.Add("mypolicy", new
SharedAccessBlobPolicy() {
SharedAccessExpiryTime =
Permissions = SharedAccessBlobPermissions.Read
blobPermissions.PublicAccess =
Generating Shared Access Signatures from
// Set the permission policy on the container.

// Get a reference to the container for the shared

access signature
var container =

// Get the shared access signature to share with users.

string sasToken = container.GetSharedAccessSignature(
new SharedAccessBlobPolicy(),
Lesson 3: Configuring Azure Storage Accounts

Content Delivery Network

Cross-Origin Resource Sharing
Content Delivery Network

You can create CDN endpoints for an existing

storage account
Storage content is cached to edge servers that is
closer to your users
You can also create CDN endpoints for a cloud
CDN content can be configured to be served
from a custom domain
Cross-Origin Resource Sharing

Cross-Origin Resource Sharing (CORS) allows

client code to make requests across domains.
Browsers and security policies typically restrict these
type of requests.
CORS is an extension of the HTTP
request/response spec.
Composed of two requests (preflight and actual).
CORS is enabled using rules at the Storage
Account level.
CORS is opt-in.
The rules serve as a policy list of allowed origins,
methods and headers.
Lesson 4: Azure Files

Azure Files Overview

File Shares
Azure Files Overview

Azure Files is a service that exposes SMB file

shares that can be shared between applications.
Since SMB is a common standard for file shares
in Windows, this enables Lift and Shift
VMs can connect to the Azure Files share in the same
way they connect to SMB shares on premise.
Very low friction method of migrating applications and
workloads to Azure VMs.
File Shares

You can create a file share by using the REST API

or Windows PowerShell
File shares use the SMB 2.1 protocol
File shares can be mapped as a drive in Windows
Lab: Storing Generated Documents in Azure
Storage Blobs

Estimated Time: 60 minutes

Lab Scenario

You need a place to store the Word documents

that are generated by the Contoso Events
application. You decide store the generated
Word documents in blobs. You also decide to
create a protected container so that the Word
documents are not accessed by anonymous
users. Finally, you want to create the logic to
generate SAS tokens for temporary access to
one of the Word documents.
Lab Review

Your server application needs to generate a SAS

for the client to download a subset of blobs in a
single container. Should you give the signature
read access to the container or read access to the
individual blobs?
Module Review and Takeaways

Review Question(s)