In the previous chapter, we learned about the concepts of Windows Server storage and filesystems.
This chapter covers content from AZ-800 Administering Windows Server Hybrid Core Infrastructure: Implement a hybrid file server infrastructure.
We will learn about the storage services that are available in Azure and look at how they can be implemented to meet use case requirements when deploying workloads into Azure. We will conclude with some hands-on exercises to help you develop your skills even further.
The following topics are included in this chapter:
In addition to the topics listed in this chapter, this chapter’s goal is to take your knowledge beyond the exam objectives to prepare you for a real-world, day-to-day hybrid environment-focused role.
This section looks at the available Storage services in Azure. We will start this chapter by looking at various definitions and concepts to help set a baseline and foundation of knowledge that you can build from.
The following storage types are available in Azure:
Selecting the right data storage that matches your workload type is a key design decision to provide an optimal cost, performance, and operational solution. You may need to implement different storage types in a single solution since no Azure Storage service will meet all your needs.
These Azure resources are repositories and boundaries where you can store all your data objects. In addition to working as data planes, they can also be considered management plane consoles. Storage accounts can define the settings and configurations that can be applied to the data held in the storage account, such as tiering, redundancy, security, access control, protection, monitoring, and so on.
Storage accounts are automatically encrypted for each storage service. They can be monitored using Azure Storage Analytics and Azure Monitor.
You can create your first storage account using the Azure portal, as shown in the following screenshot:
Figure 8.1 – Creating a storage account in Azure
You can also use PowerShell, the Azure CLI, or an Infrastructure as Code (IaC) deployment language such as Terraform, Bicep, or Azure Resource Manager (ARM).
Once created, the storage account can be accessed via HTTP/HTTPS through a globally unique namespace. These are known as endpoints and can be public or private. Information about these, along with Quickstart templates, can be found at https://docs.microsoft.com/en-us/azure/templates/microsoft.storage/storageaccounts?pivots=deployment-language-bicep.
We will look at creating a storage account via the Azure portal method in the Hands-on exercises section of this chapter.
The following types of storage accounts can be created:
These storage account types are represented in the following screenshot:
Figure 8.2 – Storage account types
You cannot change the performance type setting after creating a storage account. This is shown in the following screenshot:
Figure 8.3 – Storage account type setting
You must create a new storage account of the performance type you need and then move the data to the created storage account.
This section looked at storage types, accounts, redundancy, and access. In the next section, we will look at implementing Azure Files.
The most common use case for Azure Files is to provide a replacement for on-premises file servers in a lift-and-shift manner to an Azure scenario. This will require you to provide access to network file shares via Server Message Block (SMB), Network File System (NFS), and HTTP(S) protocols. Client connections can be made by Windows, Linux, and macOS devices when the appropriate connectivity and access permissions are implemented.
Azure Files can also be used for backup and disaster recovery scenarios for the on-premise locations of file servers . Azure File Sync can be used to replicate file shares from on-premise file servers, providing a cloud tiering capability.
Azure Files is based on a serverless deployment, meaning there are no file servers to manage; this layer has been abstracted so that you can focus on creating shares and managing their access.
Azure Files uses the standard SMB 3.x protocol and can provide granular file permissions with support for NTFS when domain services are used to provide access. Data redundancy, performance tiering, encryption, versioning, backup, malware protection through Microsoft Defender for Storage, public and private endpoint access, and monitoring can all be configured as part of the service.
Azure Files supports a maximum file size of 4 TB and a maximum file share size of 100 TB (at the time of writing).
Access is available from anywhere, with the caveat that you must consider the following:
The storage account key will be required to gain full admin control and ownership of a file share using Azure Files; this process and its actions should be tightly controlled and governed.
Azure Files provides the following storage tiers so that you get the optimal price and performance to match your needs:
The chosen tier needs to match how frequently data is accessed and the rate at which data needs to be moved between tiers; the access frequency and retrieval (rehydration) process can negatively impact costs if the incorrect tier is chosen.
Several replication options are provided by Microsoft for your data. The following ones can be used with Azure Files:
These options are shown in the following screenshot:
Figure 8.4 – Storage redundancy options
Note that premium file share storage accounts only support the LRS and ZRS redundancy options. There is no geo-redundancy option for a secondary region.
In addition, Read Access GRS (RA-GRS) and Read Access GZRS (RA-GZRS) are two other storage types that are available that support read access to the data in the secondary region; this can support a use case where you want to serve a copy of the data in a region closer to users, while the primary region is up. Note that not all storage types are available in all regions.
Encrypting data at rest in a storage account is provided by all Azure Storage services and is enabled by default. As the data is written, it is automatically encrypted and transparently decrypted when accessed. By default, Microsoft-managed keys (MMK) are used. This can be seen in the following screenshot:
Figure 8.5 – Storage encryption type
As an alternative, customer-managed keys (CMK) can be used to encrypt the data; they can be stored in an Azure Key Vault as the key store. All storage accounts have encryption-in-transit enabled by default, as shown here:
Figure 8.6 – Encryption-in-transit setting
In the default configuration of Secure transfer required being Enabled, HTTP connections are not allowed and will be rejected. Connections will fail if encryption is disabled, even in the case of SMB 3.0.
The following settings are enabled by default when creating a storage account:
These options can be seen in the following screenshot:
Figure 8.7 – Storage protection
In addition, snapshots can be taken of file shares for general backup operations. Snapshots are incremental, and a share can contain up to 200.
When a storage account is created, the default networking configuration allows public access from all networks. You can change this to one of the following:
These options are shown in the following screenshot:
Figure 8.8 – Storage network access options
When you select the Disable public access and use private access option, you will be presented with the option to add a private endpoint. A private endpoint assigns a private IP to the storage account from the VNet. This can be seen in the following screenshot:
Figure 8.9 – Private endpoint
Once a private endpoint has been added, the endpoint for the storage account is only accessible from the VNet.
Access to Azure Files must be authenticated; there is no support for anonymous access. The supported authentication methods for Azure Files are identity-based, access key, and shared access signature (SAS).
This access method provides Kerberos authentication using identities from Active Directory, Azure AD Domain Services, and Azure AD Kerberos. These options can be seen in the following screenshot:
Figure 8.10 – Identity-based access
At the time of writing, cloud-only identities – that is, those that solely exist in Azure AD – are not supported. User accounts must be hybrid identities. Azure AD is a directory service only; it provides no direct domain controller functionality.
This static authentication method uses a key, not a password. It provides the owner full access to the file shares and bypasses all access control. This can be seen in the following screenshot:
Figure 8.11 – Access keys
This access should be controlled and governed. It shouldn’t be used by users, only by service owners and admins.
SAS provides a Uniform Resource Identifier (URI) that is generated dynamically. It provides access based on the storage key and can restrict access based on IP addresses, allowed protocols, permissions, and a set expiry time. These options can be seen in the following screenshot:
Figure 8.12 – SAS
The SAS method use case is for API access.
Role-based access control (RBAC) can manage file share permissions when configuring identity-based authentication. The following are the Azure File Share-specific built-in roles that can be assigned to users:
These roles can be seen in the following screenshot:
Figure 8.13 – File share roles
Once users have access to a file share, NTFS permissions control the next level of access to folders and files, the same as any on-premise SMB file share.
In this section, we concluded the topic of implementing Azure Files. In the next section, we will look at implementing Azure File Sync.
Azure File Sync uses Azure Files to keep file shares centralized in Azure but retains on-premise file servers to maintain existing operations, compatibility, and performance. Azure file shares can also be cached locally to on-premise file servers so that they are closest to the location where they are required. The file share data is still accessible locally via SMB, NFS, and File Transfer Protocol (FTP).
Azure File Sync is comprised of the following components:
The use cases and capabilities of Azure File Sync for on-premise file servers are as follows:
Azure File Sync can be implemented using the Azure portal, PowerShell, or Windows Admin Center. You can follow these steps to implement Azure File Sync using the Azure portal:
We will cover these steps in detail in the Hands-on exercises section.
DFS-N and DFS-R are compatible with Azure File Sync and can work together. To use them concurrently, File Sync cloud tiering should be disabled on volumes with DFS-R replicated folders, and server endpoints should not be created as DFSR read-only replication folders.
You can use Azure File Sync to migrate from a DFS-R deployment. The steps are as follows:
DFS-R servers in a sync group will require internet connectivity for Azure File Sync; in these cases, you don’t want to migrate those servers’ shares. Instead, you should use DFS-R and Azure File Sync together.
In this section, we introduced Azure File Sync and learned how to implement it. In the next section, we will complete some hands-on exercises to reinforce some of the concepts that were covered in this chapter.
To support your learning with some practical skills, we will utilize the concepts and understanding we gained from this chapter and put them to practical use.
We will look at the following exercises:
To get started with this section, you will need access to the Azure portal with an account with Owner or Contributor access to an Azure subscription.
Let’s move on to the exercise for this chapter.
In this exercise, we will create a storage account.
Follow these steps to get started:
Figure 8.14 – Search storage accounts
Figure 8.15 – The Storage accounts screen
Figure 8.16 – Project details
Figure 8.17 – Storage accounts screen
Figure 8.18 – Selecting a performance type
Note
For a Premium storage account, you would select Premium, then select the required Premium account type for your scenario.
Figure 8.19 – Premium performance type
Figure 8.20 – Redundancy options
Figure 8.21 – Completed deployment
Figure 8.22 – The Storage account blade
With that, we have completed this exercise. This exercise taught us the skills needed to create a storage account; we covered the option of implementing the standard and performance tiers. In the next exercise, we will implement an Azure Files share.
In this exercise, we will implement an Azure file share using a standard storage account.
Follow these steps to get started:
Figure 8.23 – The Storage account blade
Figure 8.24 – The File shares blade
Figure 8.25 – The New file share blade
Figure 8.26 – The Files shares blade
Figure 8.27 – The File shares blade
Figure 8.28 – The Connect blade
Figure 8.29 – The Access Control (IAM) blade
With that, we have completed this exercise. This exercise taught us the skills to create an Azure file share using standard storage. In the next exercise, we will implement an Azure File share using a premium storage account.
In this exercise, we will implement an Azure file share using a premium storage account.
Follow these steps to get started:
Figure 8.30 – The Storage account screen
Figure 8.31 – The New file share blade
Figure 8.32 – The Files share blade
Figure 8.33 – The Connect blade
Figure 8.34 – The Access Control (IAM) blade
With that, we have completed this exercise. This exercise taught us the skills to implement an Azure file share using a premium storage account. Now, let’s summarize this chapter.
We started this chapter by introducing the storage services that are available in Azure, their use cases, and where we may select each one for a real-world scenario. Then, we looked at implementing the Azure Files service and Azure File Sync, and how to migrate the service from DFS-R. We finished this chapter with some hands-on exercises to provide you with valuable practical skills.
We ensured that we provided coverage of AZ-800 Administering Windows Server Hybrid Core Infrastructure: Manage storage and file services.
This chapter aimed to take your knowledge beyond the exam objectives; we added new skills and learning with the content provided. This will help you develop your knowledge and skills for on-premise network infrastructure services and allow you to be prepared for a real-world, day-to-day hybrid environment-focused role.
In the next chapter, you will learn about implementing Hyper-V on Windows Server.
This section provides links to additional study references and additional exam information:
Check what you have learned in this chapter by answering the following questions:
3.138.116.20