Create and configure containers in Blob Storage

Configure Azure Files and Azure Blob Storage

Azure Blob Storage is a service in Azure that stores unstructured data.
- Examples of unstructured data: documents, images, backups, log files, videos.
Blob storage is organized in storage accounts, and inside storage accounts, data is stored in containers.
Think of a container like a folder in your cloud storage—but designed for scalable access by applications.

A container is a logical grouping of blobs (files).
Each container has its own access rules, which means you can control who can read or write the blobs inside it.
Each blob inside a container has a unique name within that container.

There are three main ways to create a container: Azure portal, Azure CLI, and PowerShell.

Go to your Storage Account in the Azure portal.
Click Containers under the Blob service section.
Click + Container.
Enter a name for the container.
- Must be lowercase letters, numbers, and hyphens only.
Set public access level (explained below).
Click Create.

az storage container create \
  --name mycontainer \
  --account-name mystorageaccount \
  --public-access off

New-AzStorageContainer -Name "mycontainer" -Context $ctx -PublicAccess Off

When creating a container, you can choose who can access the blobs. There are three levels:

Access Level	Description	Use Case in IT Environment
Private	Only authenticated users with proper credentials can access blobs.	For sensitive data like company backups or confidential reports.
Blob	Anyone with the blob URL can read the blob. Users cannot list all blobs.	For sharing reports or documents securely with specific users who have URLs.
Container	Anyone can read all blobs and list them.	For publicly available documents, like documentation or publicly accessible logs.

Exam Tip: Know the difference between Private, Blob, and Container access levels. They are commonly tested.

After creating a container, you can configure:

Lifecycle Management
- Automatically move blobs to a cheaper storage tier (Hot → Cool → Archive) based on rules.
- Example: Move logs older than 30 days to Archive to save costs.
Soft Delete
- Protects blobs from accidental deletion.
- Deleted blobs are retained for a configurable number of days.
Immutable Blob Storage
- Make blobs read-only for a set period.
- Useful for compliance, e.g., storing financial records that cannot be altered.
Access Policies
- You can create Stored Access Policies with permissions and expiry.
- These can be linked to Shared Access Signatures (SAS) to give temporary access to specific users.

A SAS token is a URL that allows access to a container or blob without sharing account keys.
You can control:
- Permissions: Read, Write, Delete, List
- Time window: Start and expiry
- IP restrictions: Limit access to certain IP addresses

Example in IT environment: Allow a temporary partner to upload files to a container for 24 hours without giving them full storage account access.

Backups: Store VM snapshots or database dumps in a private container.
Logs: Application logs can be stored in a container and automatically moved to Archive after 90 days.
Shared reports: Marketing reports can be stored in a container with Blob access so the team can download without logging in.
Software updates: Deployment packages can be stored in a container with SAS links for remote servers to download.

Containers are logical storage units inside Blob Storage.
Access levels: Private, Blob, Container. Know the difference.
Creation methods: Azure Portal, CLI, PowerShell.
Container settings: Lifecycle management, soft delete, immutable storage.
Use SAS tokens for temporary or restricted access without sharing account keys.

✅ Summary for Students