Storage accounts & redundancy

Services, LRS/ZRS/GRS, securing access.

Beginner30 min · lesson 7 of 15

Azure Storage is the foundational data service, and the storage account is where it all starts: a container for Blob, File, Queue, and Table storage with a redundancy setting that determines durability. Choosing the right account configuration is a core administrator decision.

Accounts, services, and redundancy

A storage account provides a unique namespace for your data and hosts four services: Blob (object storage for files and unstructured data), Files (managed SMB/NFS file shares), Queue (messaging), and Table (NoSQL key-value). The most important choice is redundancy, which controls how many copies exist and where. Locally-redundant storage (LRS) keeps three copies in one datacenter — cheapest, protects against disk failure. Zone-redundant storage (ZRS) spreads copies across availability zones in a region — survives a datacenter outage. Geo-redundant storage (GRS) replicates to a paired secondary region — survives a regional disaster. Match redundancy to how critical the data is and what failures you must survive.

redundancy options
# OPTION COPIES / LOCATION SURVIVES
# LRS 3 copies, one datacenter disk failure (cheapest)
# ZRS 3 copies across availability zones a datacenter outage
# GRS LRS + async copy to a paired region a regional disaster
# GZRS ZRS + async copy to a paired region zone + regional failure
#
# Create with a chosen SKU:
az storage account create -g data-rg -n contosodata \
--sku Standard_ZRS --kind StorageV2 --access-tier Hot

Securing access

Storage security is a frequent administration concern. Each account has access keys that grant full control — never hardcode them in application code; rotate them, store them in Key Vault, or better, use Entra ID authentication and Azure RBAC data-plane roles so identities (not keys) authorize access. For scoped, delegated access, a Shared Access Signature (SAS) token grants time-limited permission to specific resources without sharing the account key. To keep the account off the public internet entirely, use a Private Endpoint or service endpoint and disable public network access, so only your VNet can reach it. Data at rest is always encrypted (Storage Service Encryption), with customer-managed keys available via Key Vault. Layering these — key hygiene, SAS for delegation, private networking, encryption — is the storage security baseline.

Storage account essentials
structure
services
Blob · Files · Queue · Table
redundancy
LRS / ZRS / GRS / GZRS
secure access
Entra ID + RBAC
identity over account keys
SAS tokens
scoped, time-limited delegation
Private Endpoint
no public network path
Pick redundancy for the failures you must survive, and prefer identity + private networking over distributing all-powerful account keys.
Account keys grant full control — do not distribute them
A storage account access key is a master credential: anyone holding it can read, write, and delete all data in the account. Never embed keys in code or config; use Entra ID authentication with RBAC, or scoped SAS tokens for delegation, and if keys must be used, store them in Key Vault and rotate them regularly.