Storage accounts & redundancy
Services, LRS/ZRS/GRS, securing access.
Azure Storage is the foundational data service, and the storage account is where it all starts: a container for Blob, File, Queue, and Table storage with a redundancy setting that determines durability. Choosing the right account configuration is a core administrator decision.
Accounts, services, and redundancy
A storage account provides a unique namespace for your data and hosts four services: Blob (object storage for files and unstructured data), Files (managed SMB/NFS file shares), Queue (messaging), and Table (NoSQL key-value). The most important choice is redundancy, which controls how many copies exist and where. Locally-redundant storage (LRS) keeps three copies in one datacenter — cheapest, protects against disk failure. Zone-redundant storage (ZRS) spreads copies across availability zones in a region — survives a datacenter outage. Geo-redundant storage (GRS) replicates to a paired secondary region — survives a regional disaster. Match redundancy to how critical the data is and what failures you must survive.
# OPTION COPIES / LOCATION SURVIVES# LRS 3 copies, one datacenter disk failure (cheapest)# ZRS 3 copies across availability zones a datacenter outage# GRS LRS + async copy to a paired region a regional disaster# GZRS ZRS + async copy to a paired region zone + regional failure## Create with a chosen SKU:az storage account create -g data-rg -n contosodata \--sku Standard_ZRS --kind StorageV2 --access-tier Hot
Securing access
Storage security is a frequent administration concern. Each account has access keys that grant full control — never hardcode them in application code; rotate them, store them in Key Vault, or better, use Entra ID authentication and Azure RBAC data-plane roles so identities (not keys) authorize access. For scoped, delegated access, a Shared Access Signature (SAS) token grants time-limited permission to specific resources without sharing the account key. To keep the account off the public internet entirely, use a Private Endpoint or service endpoint and disable public network access, so only your VNet can reach it. Data at rest is always encrypted (Storage Service Encryption), with customer-managed keys available via Key Vault. Layering these — key hygiene, SAS for delegation, private networking, encryption — is the storage security baseline.