From 4102c9c16151b311ec1fe9b54cf32434025ccb9c Mon Sep 17 00:00:00 2001 From: staleycyn <45440075+staleycyn@users.noreply.github.com> Date: Sun, 10 Dec 2023 17:31:41 -0800 Subject: [PATCH] Update LAB_07-Manage_Azure_Storage.md --- .../Lab/LAB_07-Manage_Azure_Storage.md | 279 +++++++----------- 1 file changed, 106 insertions(+), 173 deletions(-) diff --git a/New Instructions/Lab/LAB_07-Manage_Azure_Storage.md b/New Instructions/Lab/LAB_07-Manage_Azure_Storage.md index dea380e6..aff086a5 100644 --- a/New Instructions/Lab/LAB_07-Manage_Azure_Storage.md +++ b/New Instructions/Lab/LAB_07-Manage_Azure_Storage.md @@ -6,7 +6,7 @@ lab: # Lab 07 - Manage Azure Storage -## Estimated timing: 30 minutes +## Estimated timing: 40 minutes ## Lab scenario @@ -14,7 +14,7 @@ Your organization is currently storing data in on-premises data stores. The majo ## Interactive lab simulations -There are several interactive lab simulations that you might find useful for this topic. The simulation lets you to click through a similar scenario at your own pace. There are differences between the interactive simulation and this lab, but many of the core concepts are the same. An Azure subscription is not required. +There are interactive lab simulations that you might find useful for this topic. The simulation lets you to click through a similar scenario at your own pace. There are differences between the interactive simulation and this lab, but many of the core concepts are the same. An Azure subscription is not required. + [Create blob storage](https://mslearn.cloudguides.com/en-us/guides/AZ-900%20Exam%20Guide%20-%20Azure%20Fundamentals%20Exercise%205). Create a storage account, manage blob storage, and monitor storage activities. @@ -22,159 +22,123 @@ There are several interactive lab simulations that you might find useful for thi ## Architecture diagram -![image](./media/az104-lab07-architecture-diagram.png) +![image](../media/az104-lab07-architecture-diagram.png) ## Tasks -+ Task 1: Provision the lab environment -+ Task 2: Create and configure Azure Storage accounts -+ Task 3: Manage blob storage -+ Task 4: Manage authentication and authorization for Azure Storage -+ Task 5: Create and configure an Azure Files shares -+ Task 6: Manage network access for Azure Storage ++ Task 1: Create and configure a storage account. ++ Task 2: Implement secure blob storage. ++ Task 3: Provide limited access to blob storage. -### Instructions +## Task 1: Create and configure the private storage account. -## Exercise 1 +In this task, you will create and configure a storage account. -## Task 1: Provision the lab environment +1. Sign in to the **Azure portal** - `http://portal.azure.com`. -In this task, you will deploy an Azure virtual machine by using an existing template. This VM will be used later in the lab to work with Azure storage. - -1. If necessary, download the **\\Allfiles\\Labs\\07\\az104-vm1-template.json** and **\\Allfiles\\Labs\\07\\az104-vm1-parameters.json** lab files to your computer. - -1. Sign in to the [Azure portal](https://portal.azure.com). - -1. From the Azure portal, search for and select `Deploy a custom template`. - -1. On the custom deployment page, select **Build you own template in the editor**. - -1. On the edit template page, select **Load file**. - -1. Locate and select the **\\Allfiles\\Labs\\07\\az104-vm1-template.json** file and select **Open**. - - ![image](./media/az104-lab07-template1.png) - -1. Select **Save**. - -1. On the custom deployment page, select **Edit parameters**. - -1. On the edit parameters page, select **Load file**. Locate and select the **\\Allfiles\\Labs\\07\\az104-vm1-parameters.json** file and select **Open**. - - ![image](./media/az104-lab07-parameters1.png) - -1. Select **Save**. - -1. Use the following information to complete the fields on the custom deployment page. - - | Setting | Value | - | --- | --- | - | Subscription | Your Azure subscription | - | Resource group| `az104-rg1` (If necessary, select **Create new**) - | Region | **East US** | - | VM Size | **Standard DS2 v3** | - | Admin Username| `Student` | - | Password | Provide a secure password | - - ![image](./media/az104-lab07-deploy1.png) - -1. Select **Review + Create**, and then select **Create**. - - >**Note**: Do not wait for the deployments to complete, but proceed to the next task. - - >**Note**: If you got an error stating the VM size is not available, perform the steps again, select **Change size** and try a SKU that is available in your subscription. - - -## Task 2: Create and configure Azure Storage accounts - -In this task, you will create and configure an Azure Storage account. Azure storage accounts can be used for blob, file, queue, and table storage. You will use this storage account with the virtual machine that you created in the previous task. - -1. In the Azure portal, search for and select **Storage accounts**, and then click **+ Create**. +1. Search for and select **Storage accounts**, and then click **+ Create**. 1. On the **Basics** tab of the **Create storage account** blade, specify the following settings (leave others with their default values): | Setting | Value | | --- | --- | | Subscription | the name of your Azure subscription | - | Resource group | **az104-rg1** | + | Resource group | **az104-rg7** (create new) | | Storage account name | any globally unique name between 3 and 24 in length consisting of letters and digits | | Region | **East US** | - | Performance | **Standard** | - | Redundancy | **Locally redundant storage (LRS)** | + | Performance | **Standard** (notice the Premium option) | + | Redundancy | **Geo-redundant storage** (notice the other options)| + | Make read access to data in the event of regional availability | Check the box | - ![image](./media/az104-lab07-storage1.png) +1. On the **Advanced** tab, review the available options, accept the defaults. -1. Click **Next: Advanced >**. +1. On the **Networking** tab, review the available options, select **Private (no anonymous access)**. -1. On the **Advanced** tab, review the available options, accept the defaults, and click **Next: Networking >**. +1. Review the **Data protection** tab. Notice 7 days is the default soft delete retention policy. Accept the defaults -1. On the **Networking** tab, review the available options, accept the default option **Enable public access from all networks** and click **Next: Data protection >**. +1. Review the **Encryption** tab. Notice the additional security options. Accept the defaults. -1. On the **Review** tab, review the available options, accept the defaults, click **Review + Create**, wait for the validation process to complete and click **Create**. +1. Select **Review**, wait for the validation process to complete and then click **Create**. - >**Note**: Wait for the Storage account to be created. This should take about 2 minutes. +1. Once the storage account deploys, **Go to resource**. - ![image](./media/az104-lab07-storage-review.png) +1. Review the **Overview** blade and the additional configurations that can be changed. -1. On the deployment blade, click **Go to resource** to display the Azure Storage account blade. +1. Notice in the **Data storage** section, this storage account can be used for Blob containers, File shares, Queues, and Tables. -## Task 3: Manage blob storage +1. In the **Data management** section, view the **Redundancy** blade. Notice the information about your primary and secondary data center locations. -In this task, you will create a blob container and upload a blob into it. Blob containers are directory-like structures that store blobs (unstructured data) in the storage account. You will interact with the blob container and blob object that you create later in the lab. +1. In the **Data management** section, select **Lifecycle management**, and then select **Add rule**. -1. On the Storage account blade, in the **Data storage** section, click **Containers**. ++ **Name** the rule `Movetocool`. Notice your options for limiting the scope of the rule. ++ On the **Base blobs** tab, if based blobs were last modified more than `30 days` ago then **move to cool storage**. ++ Notice you can configure other conditions. Select **Add** when you are ready to create the rule. -1. Click **+ Container** and create a container with the following settings: + ![Screenshot move to cool rule conditions.](../media/az104-lab07-movetocool.png) + +## Task 2: Manage blob storage + +In this task, you will create a blob container and upload a blob into it. Blob containers are directory-like structures that store blobs (unstructured data) in the storage account. + +1. Continue working with your storage account. + +### Create a blob container and a time-based retention policy + +1. In the **Data storage** section, click **Containers**. + +1. Click **+ Container** and **Create** a container with the following settings: | Setting | Value | | --- | --- | | Name | `data` | | Public access level | **Private (no anonymous access)** | - ![image](./media/az104-lab07-create-container.png) + ![image](../media/az104-lab07-create-container.png) -1. In the list of containers, click **data** and then click **Upload**. +1. Select your container and in the **Sectings** section, select **Access Policy**. -1. Browse to **\\Allfiles\\Labs\\07\\LICENSE** on your lab computer and click **Open**. - -1. On the **Upload blob** blade, expand the **Advanced** section and specify the following settings (leave others with their default values): +1. In the **Immutable blob storage** area, select **Add policy**. | Setting | Value | | --- | --- | + | Policy type | **Time-based retention** | + | Set retention period for | `90` days | + +1. Select **Save**. + +### Manage blob uploads + +1. Select your **data** container and then click **Upload**. + +1. On the **Upload blob** blade, expand the **Advanced** section. + + >**Note**: Locate a file to upload. This can be any type of file, but a small file is best. + + | Setting | Value | + | --- | --- | + | browse for files | add the file you have selected to upload | | Blob type | **Block blob** | | Block size | **4 MB** | - | Access tier | **Hot** | - | Upload to folder | **licenses** | + | Access tier | **Hot** (notice the other options) | + | Upload to folder | **securitytest** | - > **Note**: Access tier can be set for individual blobs. - - ![image](./media/az104-lab07-upload-blob.png) + > **Note**: Access tiers can be set for individual blobs. 1. Click **Upload**. - > **Note**: Note that the upload automatically created a subfolder named **licenses**. +1. Confirm you have a new folder and your file was uploaded. -1. Back on the **data** blade, click **licenses** and then click **LICENSE**. +1. Select your upload file and review the options including **Download**, **Delete**, **Change tier**, and **Acquire lease**. -1. On the **licenses/LICENSE** blade, review the available options. - - > **Note**: You have the option to download the blob, change its access tier (it is currently set to **Hot**), acquire a lease, which would change its lease status to **Locked** (it is currently set to **Unlocked**) and protect the blob from being modified or deleted, as well as assign custom metadata (by specifying an arbitrary key and value pairs). You also have the ability to **Edit** the file directly within the Azure portal interface, without downloading it first. You can also create snapshots, as well as generate a SAS token (you will explore this option in the next task). - -## Task 4: Manage authentication and authorization for Azure Storage - -In this task, you will configure authentication and authorization for Azure Storage. By default, new Azure storage accounts do not allow you to set containers to anonymous access. You can choose to override this for the storage account if you need to be able to allow anonymous access, or you can use other authentication options to access blobs. - -1. On the **licenses/LICENSE** blade, on the **Overview** tab, click **Copy to clipboard** button next to the **URL** entry. - -1. Open another browser window by using InPrivate mode and navigate to the URL you copied in the previous step. +1. Copy the file **URL** and paste into a new **Inprivate** browsing window. 1. You should be presented with an XML-formatted message stating **ResourceNotFound** or **PublicAccessNotPermitted**. > **Note**: This is expected, since the container you created has the public access level set to **Private (no anonymous access)**. -1. Close the InPrivate mode browser window, return to the browser window showing the **licenses/LICENSE** blade of the Azure Storage container, and switch to the the **Generate SAS** tab. +### Configure limited access to the blob storage -1. On the **Generate SAS** tab of the **licenses/LICENSE** blade, specify the following settings (leave others with their default values): +1. Return to your uploaded file and select the **Generate SAS** tab. Specify the following settings (leave others with their default values): | Setting | Value | | --- | --- | @@ -185,8 +149,6 @@ In this task, you will configure authentication and authorization for Azure Stor | Expiry date | tomorrow's date | | Expiry time | current time | | Allowed IP addresses | leave blank | - - ![image](./media/az104-lab07-sas1.png) 1. Click **Generate SAS token and URL**. @@ -196,41 +158,13 @@ In this task, you will configure authentication and authorization for Azure Stor > **Note**: You should be able to view the content of the file by downloading it and opening it with Notepad. If you receive a Windows SmartScreen error, continue to the page. - > **Note**: Save the blob SAS URL. You will need it later in this lab. - -1. Close the InPrivate mode browser window, return to the browser window showing the **licenses/LICENSE** blade of the Azure Storage container, and from there, navigate back to the **data** blade. - -1. Click the **Switch to the Azure AD User Account** link next to the **Authentication method** label. - - > **Note**: You can see an error when you change the authentication method (the error is *"You do not have permissions to list the data using your user account with Microsoft Entra ID"*). It is expected. - - > **Note**: At this point, you do not have permissions to change the Authentication method. - - ![image](./media/az104-lab07-storage-error.png) - -1. On the **data** blade, click **Access Control (IAM)**. - -1. On the **Check access** tab, click **Add role assignment**. - -1. On the **Add role assignment** blade, specify the following settings: - - | Setting | Value | - | --- | --- | - | Role | **Storage Blob Data Owner** | - | Assign access to | **User, group, or service principal** | - | Members | the name of your user account | - -1. Click **Review + Assign** and then **Review + assign**, and return to the **Overview** blade of the **data** container and verify that you can change the Authentication method to (Switch to Azure AD User Account). - - > **Note**: It might take about 5 minutes for the change to take effect. - ## Task 5: Create and configure an Azure Files shares -In this task, you will create and configure Azure Files shares. Azure File Shares allow you to interact with Azure storage using either SMB or NFS protocols. You will then map a network drive from the VM that you deployed to the file share that you create. +In this task, you will create and configure Azure Files shares. -> **Note**: Before you start this task, verify that the virtual machine you provisioned in the first task of this lab is running. +### Create the files share and upload a file -1. In the Azure portal, navigate back to the blade of the storage account you created in the first task of this lab and, in the **Data storage** section, click **File shares**. +1. In the Azure portal, navigate back to the blade of the **data** storage account, in the **Data storage** section, click **File shares**. 1. Click **+ File share** and on the **Basics** tab give the file share a name, `share1`. Review the other settings on this tab. @@ -238,66 +172,65 @@ In this task, you will create and configure Azure Files shares. Azure File Share 1. Click **Review and create**, and then **Create**. Wait for the file share to deploy. - ![image](./media/az104-lab07-create-share.png) + ![Screenshot of the create file share page.](../media/az104-lab07-create-share.png) -1. Click the newly created file share and note the information available on the **share1** blade. +### Explore Storage Browser and upload a file. -1. Click **Browse** and note that there are no files or folders in the new file share. Click **Connect**. +1. Return to your storage account, and select **Storage Browser**. -1. On the **Connect** blade, ensure that the **Windows** tab is selected. Below you will find a button with the label **Show Script**. Click on the button and you will find grey textbox with a script, in the bottom right corner of that box hover over the pages icon and click **Copy to clipboard**. +1. Select **File shares**, and verify your **share1** directory is present. Notice you can **+ Add directory**. -1. In the Azure portal, search for and select **Virtual machines**, and, in the list of virtual machines, click **az104-vm1**. +1. Select your **share1** directory and **Upload** a file of your choosing. -1. On the **az104-vm1** blade, in the **Operations** section, click **Run command**. +1. Select **Upload**. Browse to a file of your choice, and then click **Upload**. -1. On the **az104-vm1** - Run command** blade, click **RunPowerShellScript**. + >**Note**: You are able to view file shares and manage those shares in the Storage Browser. There are currently no restrictions. -1. On the **Run Command Script** blade, paste the script you copied earlier in this task into the **PowerShell Script** pane and click **Run**. +### Restrict network access to the storage account - ![image](./media/az104-lab07-run-command.png) +1. In the poratal, search for and select **Virtual networks**. -1. Verify that the script completed successfully. +1. Select **Create**. Select your resource group. and give the virtual network a **name**. -1. Replace the content of the **PowerShell Script** pane with the following script and click **Run**: +1. Take the defaults for other parameters, select **Review + create**, and then **Create**. - ```powershell - New-Item -Type Directory -Path 'Z:\folder1' +1. Wait for the resource to deploy, and then select **Go to resource**. - New-Item -Type File -Path 'Z:\folder1\file1.txt' - ``` +1. In the **Settings** section, select the **Subnets** blade. + + Select the **default** subnet. + + In the **Service endpoints** section choose **Microsoft.Storage** in the **Services** drop-down. + + Do not make any other changes. + + Be sure to **Save** your changes. + + >**Note:** The storage account should now only be accessed from the virtual network you just created. -1. Verify that the script completed successfully. +1. Return to your **data** storage account. -1. Navigate back to the **share1 \| Browse** file share blade, click **Refresh**, and verify that the **folder1** appears in the list of folders. +1. In the **Security + networking** section, select the **Networking** blade. -1. Click **folder1** and verify that **file1.txt** appears in the list of files. +1. Change the **Public network access** to **Enabled from selected virtual networks and IP addresses**. - ![image](./media/az104-lab07-file-browse.png) +1. In the **Virtual networks** section, select **Add existing virtual network**. -## Task 6: Manage network access for Azure Storage +1. Select the new virtual network and subnet, select **Add**. -In this task, you will configure network access for Azure Storage. Earlier in this lab when you created the storage account, it was configured to allow connections from any public IP address. In this lab, you will restrict the network access for the storage account to your specific IP address. +1. Be sure to **Save** your changes. -1. In the Azure portal, navigate back to the blade of the storage account you created in the first task of this lab and, in the **Security + Networking** section, click **Networking**. +1. Select the **Storage browser** and **Refresh** the page. Navigate to your file share or blob content. -1. From the **Firewalls and virtual networks** tab, click the **Enabled from selected virtual networks and IP addresses** option and review the configuration settings that become available once this option is enabled. + >**Note:** You should receive a message *not authorized to perform this operation*. You are not connecting from the virtual network. It may take a couple of minutes for this to take effect. - > **Note**: You can use these settings to configure direct connectivity between Azure virtual machines on designated subnets of virtual networks and the storage account by using service endpoints. +## Review the main points of the lab -1. Click the checkbox **Add your client IP address** and select **Save**. +Congratulations on completing the lab. Here are the main takeaways for this lab. - ![image](./media/az104-lab07-storage-networking.png) ++ An Azure storage account contains all of your Azure Storage data objects: blobs, files, queues, and tables. The storage account provides a unique namespace for your Azure Storage data that is accessible from anywhere in the world over HTTP or HTTPS. ++ Azure storage provides several redundancy models including Locally redundant storage (LRS), Zone-redundant storage (ZRS), and Geo-redundant storage (GRS). ++ Azure blob storage allows you to store large amounts of unstructured data on Microsoft's data storage platform. Blob stands for Binary Large Object, which includes objects such as images and multimedia files. ++ Azure file Storage provides shared storage for structured data. The data can be organized in folders. ++ Immutable storage provides the capability to store data in a write once, read many (WORM) state. Immutable storage policies an be time-based or legal-hold. -1. Open another browser window by using InPrivate mode and navigate to the blob SAS URL you generated in the previous task. - > **Note**: If you did not record the SAS URL from task 4, you should generate a new one with the same configuration. Use Task 4 steps 4-6 as a guide for generating a new blob SAS URL. +## Cleanup your resources -1. You should be presented with the content of **The MIT License (MIT)** page. - - > **Note**: This is expected, since you are connecting from your client IP address. - -1. Close the InPrivate mode browser window, return to the browser window showing the **Networking** blade of the Azure Storage account. - -## Review - -Congratulations! You have successfully provisioned an Azure virtual machine and storage account, then configured the storage account for blob and file storage. +If you are working with your own subscription take a minute to delete the lab resource group. This will ensure resources are freed up and cost is minimized.