Sie sind auf Seite 1von 26

Module 7

Storing and Consuming Files from


Azure Storage
Module Overview

Storage Blobs
Controlling Access to Storage Blobs and
Containers
Configuring Azure Storage Accounts
Azure Files
Lesson 1: Storage Blobs

Storage Blobs
Blob Types
REST API for Storage Blobs
Storage Blobs

You can use Blob storage to store large amounts


of unstructured text or binary data.
You can use Blob storage to store files such as:
Virtual hard disk drives
Videos
Images
Log text files

You can use Blob storage to group blobs into


logical, hierarchical containers
You can secure blobs and make them available
for anonymous access
Storage Blobs (cont.)

Storage
Containers Blobs
Account

PIC01.jpg
images
PIC02.jpg
contoso

videos VID04.mp4
Blob Types

There are two primary types of blobs:

Page Block
blobs blobs
Page Blobs

Page Blobs are a collection of 512-byte pages


Optimized for Random Access and Frequent Updates
Used as persistent disks for VMs in Azure.
Highly performant, durable and reliable
Can grow and shrink in size by adding or removing
pages
Modifications of a page blob can overwrite one
or more pages.
Changes are in-place and immediately committed.
A page blob can be no larger than 1 TB.
Block Blobs

Block Blobs are comprised of a series of blocks


Blocks can be uploaded in parallel sets to speed up the
ingress of a large file.
You can use an MD5 hash to verify that each block is
uploaded successfully and retry failed blocks.
You can also track the progress of block upload.
While uploading, the blob is considered uncommitted.
When all blocks are uploaded, you can determine the order
and then commit the blob.
Block Blobs are optimized for multimedia
streaming scenarios.
Block Blobs can be no larger than 200 GB.
REST API for Storage Blobs

Blobs have the simplest of all of the Storage REST


endpoints
GET BLOB
https://[account].blob.core.windows.net/[container]/[blob]
POST, PUT, and DELETE is available on the same
endpoint
You can access containers for operations by
using the restype query string parameter
https://[account].blob.core.windows.net/[container]?rest
ype=container
You can append Shared Access Signature (SAS)
tokens to the end of a URL to access protected
blobs
Lesson 2: Controlling Access to Storage Blobs
and Containers

Container Permissions
Shared Access Signatures
Stored Access Policies
Generating Shared Access Signatures from Policies
Container Permissions

There are three levels of container access that are


available
Full public read access
Enumerate container blobs
Read individual blobs
Cannot enumerate containers
Public read access for blobs only
Read individual blobs
No public read access
No access to blobs, containers, or enumerating contents
Shared Access Signatures

A Shared Access Signature (SAS Token) is a URI


that grants access to a protected container, blob,
queue or table for a specific time interval.
Allows client application to access a resource without
using the storage account key.
Should only be used with secure (HTTPS) requests
Can be generated with the following components
Start Time
Expiry Time
Permission Levels (Read, Write, Delete, List, None)
Structure of a Shared Access Signature

https://myaccount.blob.core.windows.net/sascont
ainer/sasblob.txt?sv=2012-02-12&st=2013-04-
29T22%3A18%3A26Z&se=2013-04-
30T02%3A23%3A26Z&sr=b&sp=rw&sig=Z%2FRHIX5Xcg0Mq
2rqI3OlWTjEg2tYkboXr1P9ZUXDtkk%3D

http://[account].blob.core.windows.net/[container
]/[blob]?sv=[Storage Services Version]&?st=[Start
Time]&se=[Expiry
Time]&sr=[Resource]&sr=[Permissions
Granted]&si=[nameofpolicy]&sig=[HMAC-SHA256
value]
Stored Access Policies

Stored access policies allow you to have granular


control over a set of shared access signatures
The signature lifetime and permissions are stored in
the policy as opposed to the URL
You can modify the properties in the policy and the
changes are automatically propagated to all signatures
generated from the policy
You can also invalidated all signatures generated from
a policy
A Container, Queue or Table can have up to 5
Stored Access Policies
Generating Shared Access Signatures from
Policies
// Get a reference to the container
var container =
blobClient.GetContainerReference(files");
container.CreateIfNotExists();

// Create blob container permissions


var blobPermissions = new BlobContainerPermissions();
blobPermissions.SharedAccessPolicies.Add("mypolicy", new
SharedAccessBlobPolicy() {
SharedAccessExpiryTime =
DateTime.UtcNow.AddHours(10),
Permissions = SharedAccessBlobPermissions.Read
}
);
blobPermissions.PublicAccess =
BlobContainerPublicAccessType.Off;
Generating Shared Access Signatures from
Policies
// Set the permission policy on the container.
container.SetPermissions(blobPermissions);

// Get a reference to the container for the shared


access signature
var container =
blobClient.GetContainerReference(files");
container.CreateIfNotExists();

// Get the shared access signature to share with users.


string sasToken = container.GetSharedAccessSignature(
new SharedAccessBlobPolicy(),
"mypolicy
);
Lesson 3: Configuring Azure Storage Accounts

Content Delivery Network


Cross-Origin Resource Sharing
Content Delivery Network

You can create CDN endpoints for an existing


storage account
Storage content is cached to edge servers that is
closer to your users
You can also create CDN endpoints for a cloud
service
CDN content can be configured to be served
from a custom domain
Cross-Origin Resource Sharing

Cross-Origin Resource Sharing (CORS) allows


client code to make requests across domains.
Browsers and security policies typically restrict these
type of requests.
CORS is an extension of the HTTP
request/response spec.
Composed of two requests (preflight and actual).
CORS is enabled using rules at the Storage
Account level.
CORS is opt-in.
The rules serve as a policy list of allowed origins,
methods and headers.
Lesson 4: Azure Files

Azure Files Overview


File Shares
Azure Files Overview

Azure Files is a service that exposes SMB file


shares that can be shared between applications.
Since SMB is a common standard for file shares
in Windows, this enables Lift and Shift
scenarios.
VMs can connect to the Azure Files share in the same
way they connect to SMB shares on premise.
Very low friction method of migrating applications and
workloads to Azure VMs.
File Shares

You can create a file share by using the REST API


or Windows PowerShell
File shares use the SMB 2.1 protocol
File shares can be mapped as a drive in Windows
Lab: Storing Generated Documents in Azure
Storage Blobs

Estimated Time: 60 minutes


Lab Scenario

You need a place to store the Word documents


that are generated by the Contoso Events
application. You decide store the generated
Word documents in blobs. You also decide to
create a protected container so that the Word
documents are not accessed by anonymous
users. Finally, you want to create the logic to
generate SAS tokens for temporary access to
one of the Word documents.
Lab Review

Your server application needs to generate a SAS


for the client to download a subset of blobs in a
single container. Should you give the signature
read access to the container or read access to the
individual blobs?
Module Review and Takeaways

Review Question(s)