Azure Storage Labs โ
๐ฏ Purpose: Hands-on practice using Azure Portal
Format: Each lab has a scenario, clear steps, and discovery questions
Solutions: See solutions.md - fill in as you complete!
๐๏ธ Setup: Create Your Lab Environment โ
Before starting, create these resources:
| Resource | Name | Settings |
|---|---|---|
| Resource Group | rg-storage-labs | Your preferred region |
| Storage Account 1 | labstandard[initials][random] | Standard, LRS |
| Storage Account 2 | labdatalake[initials][random] | Standard, LRS, Enable HNS |
Lab 1: The Namespace Difference โ
๐ฏ Goal: Experience the difference between flat and hierarchical namespace firsthand.
Scenario โ
You need to organize project files. Let's see how folder operations differ between regular blob storage and Data Lake.
Part A: Flat Namespace (Standard Blob) โ
In your labstandard storage account:
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Go to Containers โ Create container project-files | Container created |
| 2 | Click into container โ + Add Directory | Notice: "New virtual directory" text |
| 3 | Create folder structure: 2024/january/reports/ | Creates nested "folders" |
| 4 | Upload 3 small files into 2024/january/reports/ | Files uploaded |
| 5 | Go back to container root โ Look at blob names | Discovery: What are the actual blob names? |
| 6 | Try to rename folder january to jan | Discovery: Can you do it? What happens? |
| 7 | Delete the folder 2024 | Discovery: What actually gets deleted? |
Part B: Hierarchical Namespace (Data Lake) โ
In your labdatalake storage account:
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Go to Containers โ Create container project-files | Container created |
| 2 | Click + Add Directory | Notice: No "virtual" - it's a real directory! |
| 3 | Create same structure: 2024/january/reports/ | Creates nested directories |
| 4 | Upload 3 small files into 2024/january/reports/ | Files uploaded |
| 5 | Right-click folder january โ Rename | Discovery: Can you rename? How fast? |
| 6 | Right-click folder 2024 โ Move | Discovery: Is Move available? |
| 7 | Delete folder with files inside | Discovery: How is this different? |
Questions to Answer โ
Q1: In flat namespace, what is the actual name of a file at 2024/january/reports/file.txt?
โ
Q2: Why can't you rename a folder in flat namespace?
โ
Q3: In hierarchical namespace, how long did rename take? Why?
โ
Q4: What does "virtual directory" mean?
โLab 2: Access Tier Deep Dive โ
๐ฏ Goal: Understand tier behavior, costs, and archive rehydration.
Scenario โ
You're managing a company's document archive. Different documents need different tiers based on access patterns.
Part A: Set Tiers on Upload โ
In your labstandard storage account:
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Create container tier-testing | Private access level |
| 2 | Click Upload | Notice the Access tier dropdown |
| 3 | Upload active-doc.txt โ Set tier: Hot | Note: Default tier matches account default |
| 4 | Upload monthly-report.txt โ Set tier: Cool | Notice: Same upload dialog, different tier |
| 5 | Upload quarterly-data.txt โ Set tier: Cold | Cold tier option available |
| 6 | Upload archive-backup.txt โ Set tier: Archive | Archive tier selected |
Part B: View and Change Tiers โ
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Click on any blob โ Overview tab | Find "Access tier" property |
| 2 | Click Change tier button | See all available tier options |
| 3 | Change active-doc.txt from Hot to Cool | Discovery: Is it instant? |
| 4 | Try to change archive-backup.txt to Hot | Discovery: What's different about Archive? |
| 5 | Look for "Archive status" property | Discovery: What does "rehydrate-pending-to-hot" mean? |
| 6 | Find "Rehydrate priority" option | Standard vs High priority |
Part C: Try to Read Archived Blob โ
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Click on archive-backup.txt | Go to blob properties |
| 2 | Click Download | Discovery: What happens? |
| 3 | Generate a SAS URL for this blob | Get the full URL |
| 4 | Open URL in browser | Discovery: What error do you get? |
Part D: Start Rehydration โ
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Select archive-backup.txt โ Change tier | Options appear |
| 2 | Select Hot tier | Rehydrate priority option appears |
| 3 | Choose Standard priority | Note the time estimate |
| 4 | Click Save | Tier change initiated |
| 5 | Refresh and check "Archive status" | Shows: rehydrate-pending-to-hot |
Questions to Answer โ
Q1: Can you set tier during upload? Where is the option?
โ
Q2: What happens when you try to download an archived blob?
โ
Q3: What's the difference between Standard and High rehydration priority?
โ
Q4: While rehydration is pending, what is shown in the "Access tier" field?
โ
Q5: Can you cancel a rehydration in progress?
โLab 3: Container Access Levels & Anonymous Access โ
๐ฏ Goal: Understand the three access levels and security implications.
Scenario โ
You need to host some public images and some private documents in the same storage account.
Setup โ
| Step | What to Do |
|---|---|
| 1 | Create container private-docs with Private access |
| 2 | Create container public-images with Blob access |
| 3 | Create container full-public with Container access |
| 4 | Upload the same test image to all three containers |
Testing Access โ
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Get URL of blob in private-docs | Click blob โ Copy URL |
| 2 | Open URL in Incognito browser | Expected: Error (no access) |
| 3 | Get URL of blob in public-images | Same process |
| 4 | Open URL in Incognito browser | Expected: Image displays |
| 5 | Try to list blobs by removing filename from URL | Example: https://account.blob.../public-images/ |
| 6 | Expected: Should fail (blob access โ list access) | |
| 7 | Try same list URL for full-public container | Expected: XML list of blobs |
Find the Security Warning โ
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Go to storage account โ Configuration | Look for anonymous access setting |
| 2 | Find "Allow Blob anonymous access" | What is current setting? |
| 3 | Go to container โ Change access level | Notice the warning banner |
Questions to Answer โ
Q1: What's the URL format for accessing a blob anonymously?
โ
Q2: What's the difference between "Blob" and "Container" access level?
โ
Q3: Where do you see the warning about anonymous access being a security risk?
โ
Q4: If you disable "Allow Blob anonymous access" at account level, what happens to public containers?
โLab 4: Moving and Copying Blobs โ
๐ฏ Goal: Understand what operations are possible and their limitations.
Scenario โ
You need to reorganize blobs between containers and understand the copy/move behavior.
Part A: Copy Within Same Account โ
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | In tier-testing container, select a blob | Checkbox appears |
| 2 | Look for Copy option in toolbar | Find the copy button |
| 3 | Click Copy | Notice: Copies to clipboard |
| 4 | Navigate to different container | Open private-docs |
| 5 | Click Paste | Discovery: Is paste available? |
| 6 | Try right-click on blob โ Look for Move | Discovery: Is Move available? |
Part B: Copy Using "Copy URL" + Portal Upload โ
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Go to a blob โ Copy its URL | Full blob URL |
| 2 | Go to destination container | Different container |
| 3 | Click Upload โ Advanced | Expand advanced options |
| 4 | Find "Copy from URL" section | Paste source URL |
| 5 | Discovery: Does this work? | Try it! |
Part C: Rename a Blob (Flat Namespace) โ
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Right-click a blob | Look for Rename option |
| 2 | Discovery: Is there a Rename option? | No direct rename! |
| 3 | How would you "rename" a blob? | Think about it... |
Part D: Move in Data Lake (Hierarchical Namespace) โ
In your labdatalake storage account:
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Create two containers: source and destination | Both created |
| 2 | In source, create folder data with files | Add 3+ files |
| 3 | Right-click on a file โ Look for options | What's available? |
| 4 | Find Move option | Select it |
| 5 | Move file to destination container | Discovery: Does it work across containers? |
| 6 | Move file within same container to different folder | Discovery: Does this work? |
Questions to Answer โ
Q1: Can you move a blob in standard (flat namespace) storage? What must you do instead?
โ
Q2: Can you rename a container? What must you do instead?
โ
Q3: In Data Lake (HNS), can you move files across containers?
โ
Q4: What's the difference between Copy and Move in terms of billing?
โLab 5: Lifecycle Management Rules โ
๐ฏ Goal: Create automatic tier transitions and deletion rules.
Scenario โ
You need to automatically:
- Move blobs to Cool after 30 days
- Move blobs to Archive after 90 days
- Delete blobs after 365 days
Create Lifecycle Policy โ
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Storage account โ Data management โ Lifecycle management | Lifecycle blade |
| 2 | Click + Add rule | Rule wizard opens |
| 3 | Name: auto-tier-transition | Give descriptive name |
| 4 | Rule scope: Apply to all blobs or Limit with filters | Options available |
| 5 | Blob type: Block blobs (default) | Other types available |
| 6 | Blob subtype: Base blobs | Notice versions/snapshots options |
Configure Actions โ
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | "Base blobs" tab โ Add action | Action dropdown |
| 2 | Check: Move to cool storage | Days input appears |
| 3 | Set: 30 days after last modification | First transition |
| 4 | Add another action: Move to archive storage | Can't select (need higher number) |
| 5 | Set: 90 days | Second transition |
| 6 | Add: Delete the blob after 365 days | Final action |
Add Filter (Optional) โ
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Go to Filter set tab | Filter options |
| 2 | Add prefix filter: logs/ | Only affects blobs starting with logs/ |
| 3 | Save the rule | Rule created |
View as JSON โ
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Click on Code view tab | JSON representation |
| 2 | Copy the JSON | This is what API uses |
| 3 | Notice the structure | Rules, filters, actions |
Questions to Answer โ
Q1: How often do lifecycle rules run?
โ
Q2: Can you create a rule that moves blobs based on LAST ACCESS time (not modification)?
โ
Q3: What happens if a blob is already in Archive and the delete rule triggers?
โ
Q4: Can lifecycle rules move blobs to a different container? Different storage account?
โ
Q5: Why can't you set "Move to Cool after 90 days" if you already have "Move to Archive after 30 days"?
โLab 6: Versioning vs Soft Delete vs Point-in-Time โ
๐ฏ Goal: Understand the three protection mechanisms and when each applies.
Scenario โ
Compare what happens when you delete and modify blobs with different protection enabled.
Part A: Enable Protection Features โ
| Step | What to Do | Where |
|---|---|---|
| 1 | Storage account โ Data protection | Data management section |
| 2 | Enable Soft delete for blobs โ 7 days | Checkbox + days |
| 3 | Enable Soft delete for containers โ 7 days | Checkbox + days |
| 4 | Enable Versioning for blobs | Checkbox |
| 5 | Point-in-time restore - Try to enable | Discovery: What happens? |
| 6 | Save changes | Wait for propagation |
Part B: Test Soft Delete โ
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Upload blob delete-test.txt | File uploaded |
| 2 | Delete the blob | Blob disappears from list |
| 3 | Toggle Show deleted blobs | Filter option in toolbar |
| 4 | Find your deleted blob | Shows with "Deleted" status |
| 5 | Click blob โ Undelete | Blob restored! |
Part C: Test Versioning โ
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Upload blob version-test.txt with content "Version 1" | Initial upload |
| 2 | Upload SAME blob name with content "Version 2" | Overwrites |
| 3 | Upload SAME blob name with content "Version 3" | Overwrites again |
| 4 | Click on the blob โ Versions tab | All versions listed |
| 5 | Click on old version โ Make current version | Old version promoted |
| 6 | Download current version | Should have old content |
Part D: Check HNS Account โ
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Go to labdatalake storage account | HNS enabled account |
| 2 | Go to Data protection | Same blade |
| 3 | Look for Versioning option | Discovery: Is it available? |
| 4 | Look for Point-in-time restore | Discovery: Is it available? |
Questions to Answer โ
Q1: What's the difference between soft delete and versioning?
โ
Q2: Can you have both soft delete AND versioning enabled?
โ
Q3: Why is versioning NOT available when HNS is enabled?
โ
Q4: If you delete a blob with versioning enabled, what happens to the versions?
โ
Q5: How is Point-in-time restore different from versioning?
โLab 7: Static Website Hosting โ
๐ฏ Goal: Enable and test static website hosting.
Setup Static Website โ
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Storage account โ Data management โ Static website | Static website blade |
| 2 | Toggle Enabled | Additional fields appear |
| 3 | Index document: index.html | Default page |
| 4 | Error document: 404.html | Error page |
| 5 | Click Save | Endpoints appear! |
| 6 | Copy Primary endpoint URL | Your website URL |
Find the $web Container โ
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Go to Containers | List of containers |
| 2 | Find $web container | Special container created |
| 3 | Note the access level | What is it? |
Upload Website Content โ
| Step | What to Do | Content |
|---|---|---|
| 1 | Create index.html locally | <h1>Hello from Azure Storage!</h1> |
| 2 | Create 404.html locally | <h1>Page Not Found</h1> |
| 3 | Upload both to $web container | Via portal upload |
Test Your Website โ
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Open Primary endpoint in browser | Your index.html |
| 2 | Add /nonexistent to URL | 404.html should show |
| 3 | Note the URL format | https://account.z13.web.core.windows.net |
Questions to Answer โ
Q1: What's special about the $web container?
โ
Q2: Can you change the access level of $web container?
โ
Q3: Is the static website endpoint the same as the blob endpoint?
โ
Q4: Can static website hosting work with HNS enabled?
โLab 8: Azure Files - Create and Mount โ
๐ฏ Goal: Create a file share and mount it on your computer.
Create File Share โ
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Storage account โ File shares | File shares blade |
| 2 | Click + File share | Create dialog |
| 3 | Name: shared-docs | |
| 4 | Tier: Transaction optimized | Tier options |
| 5 | Create the share | Share created |
Explore the Share โ
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Click into shared-docs | Share contents |
| 2 | Click + Add directory | Create folder |
| 3 | Create finance folder | |
| 4 | Upload a file to finance | |
| 5 | Note: Files have full paths like a file system | Not like blob "virtual folders" |
Get Mount Command โ
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Click Connect button | Connect dialog |
| 2 | Select your OS: Windows | Mount script |
| 3 | Copy the PowerShell script | Full mount command |
| 4 | Note the drive letter option | Can choose letter |
| 5 | Note the authentication | Uses storage key |
Mount on Windows (if possible) โ
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Open PowerShell as Admin | Elevated prompt |
| 2 | Paste the mount script | Execute |
| 3 | Open File Explorer | New drive should appear |
| 4 | Create a file from Windows | |
| 5 | Refresh portal | File appears! |
Questions to Answer โ
Q1: What's the UNC path format for Azure Files?
โ
Q2: What port does SMB use? Why might this be blocked?
โ
Q3: Can you create a file share with NFS protocol? What are the requirements?
โ
Q4: What authentication methods are shown in the Connect dialog?
โLab 9: SAS Tokens - Generation and Testing โ
๐ฏ Goal: Generate and test different types of SAS tokens.
Generate Blob SAS โ
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Go to any blob in private-docs | Click on blob |
| 2 | Click Generate SAS tab | SAS options |
| 3 | Signing key: Key 1 | Which key signs the SAS |
| 4 | Permissions: Read only | Uncheck all except Read |
| 5 | Start: Now | |
| 6 | Expiry: 1 hour from now | Short validity |
| 7 | Allowed protocols: HTTPS only | Security option |
| 8 | Generate SAS token and URL | Token appears |
| 9 | Copy the full Blob SAS URL | Complete URL |
Test the SAS โ
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Open SAS URL in Incognito browser | Should download/display |
| 2 | Compare: Open blob URL WITHOUT SAS | Should fail |
| 3 | Wait for SAS to expire | After 1 hour |
| 4 | Try SAS URL again | Should fail - expired |
Generate Container SAS (with List permission) โ
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Go to container level (not blob) | Container overview |
| 2 | Click Shared access tokens | Container SAS options |
| 3 | Permissions: Read + List | Multiple permissions |
| 4 | Generate SAS | Token appears |
| 5 | Use URL with ?restype=container&comp=list appended | XML blob list! |
Generate Account SAS โ
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Storage account โ Shared access signature | Account SAS blade |
| 2 | Notice all the services options | Blob, File, Queue, Table |
| 3 | Notice resource types | Service, Container, Object |
| 4 | Generate with minimal permissions | Only what's needed |
Questions to Answer โ
Q1: What's the difference between Blob SAS, Container SAS, and Account SAS?
โ
Q2: How do you revoke a SAS token?
โ
Q3: What is a Stored Access Policy? Where do you create it?
โ
Q4: What signing key was used? What happens if you rotate that key?
โLab 10: Feature Conflicts - HNS Limitations โ
๐ฏ Goal: Verify what features are unavailable with Hierarchical Namespace.
Check Data Lake Account Limitations โ
In your labdatalake storage account (HNS enabled):
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Go to Data protection | Data protection blade |
| 2 | Look for Versioning toggle | Available? |
| 3 | Look for Point-in-time restore | Available? |
| 4 | Look for Blob soft delete | Available? |
| 5 | Look for Container soft delete | Available? |
Check Standard Account Features โ
In your labstandard storage account (no HNS):
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | Same blade - Data protection | |
| 2 | Versioning | Available โ |
| 3 | Point-in-time restore | Available โ |
| 4 | All soft delete options | Available โ |
Try Object Replication โ
| Step | What to Do | What to Look For |
|---|---|---|
| 1 | In labstandard โ Object replication | Object replication blade |
| 2 | Note it's available | Can create rules |
| 3 | In labdatalake โ Object replication | Same blade |
| 4 | Discovery: Is it available? | Check if you can create rules |
Create Feature Matrix โ
Fill in what you discovered:
Feature | Standard (no HNS) | Data Lake (HNS)
---------------------------|-------------------|----------------
Versioning | |
Point-in-time restore | |
Blob soft delete | |
Container soft delete | |
Object replication | |
Blob index tags | |
NFS 3.0 protocol | |
SFTP access | |
Real directory rename | |
POSIX ACLs | |๐งน Cleanup โ
Don't Forget to Delete Resources!
- Go to Resource Groups
- Select
rg-storage-labs - Click Delete resource group
- Type the name to confirm
- Click Delete
Estimated cost if you forget: ~$5-10/month for storage accounts
Completion Checklist โ
| Lab | Topic | Completed |
|---|---|---|
| 1 | Namespace Difference (Flat vs HNS) | โ |
| 2 | Access Tier Deep Dive | โ |
| 3 | Container Access Levels | โ |
| 4 | Moving and Copying Blobs | โ |
| 5 | Lifecycle Management | โ |
| 6 | Versioning vs Soft Delete | โ |
| 7 | Static Website | โ |
| 8 | Azure Files | โ |
| 9 | SAS Tokens | โ |
| 10 | HNS Feature Conflicts | โ |