KubeQuest

Instructor: All right, we're moving on

to click the Next button,

and we're coming up to the Data protection tab

of the storage account creation process.

Now, this is important because it's gonna allow you

to be protected from accidental or malicious deletion

or modification of files.

So we can see on this screen a number of check boxes

going down under recovery, tracking, and access control.

You have the option of enabling,

a option called point-in time restore.

Now, point in time restore is going to keep versions

of your files and allow you to go back to any date and time

that you specify within the maximum restore point.

And so you can go up to 30 days back

in terms of point-in time restore.

So let's say I wanna be able to go back

to any point within the last 21 days

in order to restore the container to that earlier state.

Now, like it says in the note, that in order to have this,

it needs other features,

such as versioning, change feed, and soft delete.

So speaking of which, soft delete is a feature

that means when you go to delete a file,

it doesn't actually get deleted.

It's called marked for deletion.

So when you have soft delete enabled,

it basically enforces a time period

in which you can still restore that file.

So even if you don't have point-in time restore enabled,

you can have this soft delete.

So with this setting, and it's on by default,

I can delete a file

and I still have seven days in the future where I can say,

"Oh, I actually made a mistake

and I want to recover that file."

The reason this is good

is because in case of malicious deletion,

any person that goes into your account

and deletes a bunch of things,

if you can catch it within this time period,

then you can easily restore it

without having to go to backups and others.

So there are three options for soft delete.

One is for blobs, one is for the entire container.

So if someone deletes the container,

you can restore it within those many days.

And also for file shares. This is on by default.

The only thing that this really impacts when you are testing

is it's an extra bit of work in order to delete files

when they're just test files.

So in a non-production capacity,

then this is actually more work.

Going down to the tracking section.

We do have the option of keeping previous versions of blobs.

So let's say you have files

that change every once in a while.

So every 30 days a particular file gets updated

in an update method.

Well, having versioning

means you're automatically gonna have version six,

version seven, and version eight.

And so Azure's gonna store those versions,

and you're going to basically pay for it.

So the more versions of something you have,

then the more gigabytes that you're storing.

You can control your versioning through data lifecycle,

which we'll talk about.

The change feed allows you to see

when somebody makes changes, create modification,

or delete changes to blobs.

So it's basically in a feed

that you can then listen to or you can query

and you can perhaps perform certain actions

when changes occur.

And finally, under access control

you have this concept of immutability.

Now, immutability means that a file

can never be altered or even deleted.

So this is for important files that once it's written,

you never ever want somebody to go

and change the contents of that file.

This would be like a security log,

would be a good example of this.

So if you're tracking everyone who's logged in or logged out

or login failures into your application,

you may consider some type of immutable log,

such that a hacker could not then go

and delete the log files and cover their trails.

So this is time-based retention policy

that applies to all blob versions.

So if you have versioning enabled,

it applies to all the versions of a file.

So you can have this at a container level,

or you can have this at an account level

or even at a specific blob level.

And in order to do this,

then you're gonna need to have versioning enabled for this.

All right, so that's the different data protection,

recovery tracking, and access control features

that you can enable for a storage account.

In the next video, we'll finish it up.

We'll talk about encryption and we'll create this account.

John Savil

Labs

Labs

Users And Groups

Rbac

Conditional Access

Managed Identities

B2b Guests

Sspr

Pim

Federating Keyclock

Extras

Scott Duffy

Transcripts