Azure Storage Encryption

 

It’s been a query for most of customer, how to encrypt data of Azure storage accounts as azure storage  is public cloud and not sure if my storage account data been compromised. Even more on this how we can get an audit complain for azure storage accounts data and many more query .

Now Azure storage encryption feature will help your keen our data encrypted and now can decrypt your data without your permission if you are using “your Own Key” to encrypt the data.

 

Key Feature of Storage Accounts Encryption.

  • Azure Storage  encryption services protects our data at rest.
  • Azure Storage encrypts our data as it’s written in MS Azure  data centers and automatically decrypts for customers based on there usages or Access to the data.
  • Data is encrypted using Microsoft Managed Keys for Azure Blobs, Tables, Files and Queues.
  • We can choose to bring our own key for encryption for Azure Blobs and Files.
  • Encryption for Tables and Queues will always use Microsoft Managed Keys.
Note: After enabling Storage Service Encryption, “only new data will be encrypted” and “Existing files in the storage account will be get encrypted by a background encryption process.”
Lets start and see how we can encrypt the Storage Accounts.

Step 1: Storage Accounts Encryption

  • Select the Storage Accounts you want to get encrypted.
  • Select Encryption Tab under Setting Pane.
  • Click on the encryption.
  • Here you will found Option
  • Enter your Owner Key
  • Select from key Vault.

I am selecting the second option as i don’t have key vault or Own Key.

Azure Storage account1.jpg

Step-2: Azure Key Vault Creations

  • Click on All services and Search Key Vault.
  • Click on the Key Vault
  • Provide the Name
  • Pricing Tire
  • Access Policy
  • Virtual Network if you wan to allow key with in your networks or restrict from Internet.

keyvault.jpg

Step-3: Azure Encryption Creations

  • Select the Key Vault
  • Select the Key under the Settings Pane.
  • Click on Generate/Import Key.
  • Provide the Name of the key
  • Security Key Type
  • RSA Key Size.
  • Can set the Activation date and Expiration Data.

encryption eky.jpg

Step-4: Azure Storage Accounts Verification.

  • Verify the key Vault
  • Verify the encryption key and select the Correct key.
  • Click on the Save
  • It will take some time and save the settings.
  • Storage Accounts encryption has been enabled.

Verifications steps.jpg

 

Advertisements

Azure Storage:Azure AD Integration,Storage endpoints and Soft delete.

It’s been a while we are conducting the session and thought of to cover the storage session (Deep Drive of  Azure Tables and Queue) and Try to covered New Features like Azure storage Endpoints ,Azure AD Integrations, Configure VM MSI etc.

We have conducted the 4 session on azure Storage .Which i will be sharing in my next Blogs.

As Part of our AzureTalk free webinar ,I have given the session on storage  where i have covered the below Topics.

  • Azure Tables and Queue
  • Azcopy
  • Azure Storage Services Endpoints and Firewal
  • Azure AD Integration and Authentications .
  • Configure VM MSI.
  • Soft Delete (Public Preview)
  • Demo

Azure Storage Accounts: Blob Storage and File Storage

It’s been a while we are conducting the session and thought of to cover the storage session (Deep Drive of  Blob storage and File Storage )and where we have covered the New feature which is available now in storage accounts and try to explain in such a way that ,It’s easy understand even for new Azure learns.

We have conducted the 4 session on azure Storage .Which i will be sharing in my next Blogs.

As Part of our AzureTalk free webinar ,I have given the session on storage  where i have covered the below Topics.

  • Azure Storage Accounts Types
  • Blob Storage and File Storage
  • Use Case of Blob storage and file storage.
  • File Storage Creations.
  • Demo

 

 

 

Azure for Beginners Series :Azure Storage Accounts-

 

It’s been a while we are conducting the session and thought of to cover the storage session and where we have covered the New feature which is available now in storage accounts and try to explain in such a way that ,It’s easy understand even for new Azure learns.

We have conducted the 4 session on azure Storage .Which i will be sharing in my next Blogs.

As Part of our AzureTalk free webinar ,I have given the session on storage  where i have covered the below Topics.

  • Azure Storage Accounts
  • Storage Accounts V1 Vs V2.
  • Types of Storage Accounts.
  • Azure Storage Accounts Replications Scope
  • Pre-Requisite of Azure Storage Accounts Creations.

 

AzureTalk Beginners Series-“Azure Storage Account”

It’s great Opportunities to have Beginners series session in AzureTalk Platform , Where we will share the Azure Knowledge with 2800 Members which includes Architects , MVP, Azure Solution Specialist and various Industry Leaders etc.

Today’s I have Talked About Azure Storage Accounts and  How MS Azure storage accounts are beneficial and used for all the services in terms of IaaS,PaaS, SaaS or Third Party any application, Which will require the storage accounts.

Another Interesting Part is to understand the Storage accounts Types which Storage account General Purpose V1 Vs V2 Vs Blob. Try to explain clearly.

How the Azure storage accounts replications work and how you can upgrade General purpose V1 to V2 , Has Shown.

Agenda

  • Azure Storage Account Introduction
  • Storage Account V1 Vs V2
  • Types of Storage Accounts
  • Azure Storage Account Replication Scope
  • Prerequisite of Azure Storage account Creation

Storage Account GSv2 Configuration

Azure Storage GSv2 Part-1

Storage Account GSv2 Configuration

Read-access geo-redundant storage (RA-GRS)


  • Secure Transfer  etc option.
  • Then Create the Storage Account.

Azure storage 1

Main Difference is Highlighted 

General Purpose V2                                               General Purpose V1

azure-storage-2.jpg

Azure Storage V2 Has only 3 Replication Policy RA-GRS,GRS and LRS but Storage Accounts V1 has 4 Replication Policy : LRG,ZRS, GRS,RA-GRS.

 

More Information Please follow:

Create and Manager Storage Accounts

Setup and Configuration of File sync Server

File Sync Server part-1

File Sync Server Prerequisite

  1. Create an Storage Account
  2. Create the File Server (Creation of Azure File Server )
  3. On-premises Machine with 2012 R2 or 2016R2 with Latest Powershall (5.1)
  • Get-Module PowerShellGet -list | Select-Object Name,Version,Path
  • # Install the Azure Resource Manager modules from the PowerShell Gallery
    Install-Module AzureRM -AllowClobber

4: Name, Subscription, Resource Group and Location.

5: File Location Should be D:\FolderName

Step-1 : Login to Azure Portal and Select the File Storage Account

Please Login to Azure Subscription (Azure Portal)

  • Click on Storage Account
  • Select the File Sync Server Azure File Sync1

    Step 2-Create the File Sync Server

  • Please Provide the File Sync Server Name
  • Subscription
  • Resource Group Name
  • Location (It is available in Few Location like West US)

Azure File Sync2

Step-3: Create the Sync Group

Click on the Sync Group

Azure File Sync3

  • Provide the Sync Group Name
  • Select the Subscription
  • Select the Storage Account
  • Select the File Server

Azure File Sync4

azure-file-sync5.jpg

  • Please Download the Azure Storage Sync Agent
  • Installed on the Server 2012 R2 or 2016 Server in You on-premises

azure-file-sync6.jpg

  • Login to the server and Turn of the internet security : Test Purpose not  Recomanded.  for Production Environment.

azure-file-sync7.jpg

  • Selected the File as per your Server Requirements.

Azure File Sync8

  • Installed the Storage Sync Agent Setup

file sync setup1

  • Accept the Term and Condition

file sync setup2

  • Select the Folder Location for installation Files

file sync setup3

  • Select Collect Data Necessary to Identify and Fix the Problem.

file sync setup5

  • Select the Microsoft Update .

file sync setup4

  • Click on Finish

file sync setup6

You will get an Pre-requisite error as as powershell version is old.

Please use the Pre-requisite section command line to update the power-shell.

Azure File Sync9

Please find the below Command.

  • Get-Module PowerShellGet -list | Select-Object Name,Version,Path
  • # Install the Azure Resource Manager modules from the PowerShell Gallery
    Install-Module AzureRM -AllowClobber

Azure File Sync10

  • Sign in and Register the Server
  • Click on Sign and you will get Azure Portal login Windows.
  • Please provide the user ID and password.
  • Azure File Sync101

Azure File Sync12

  • Select the Subscription Name
  • Select the Resource Group
  • Select the Storage Sync Services.

Azure File Sync14

  • Click on Register and Sign-in Again

Azure File Sync15

  • Registration Success Full

Azure File Sync16

  • Once you will register the server you will see in File sync Register Server list .

Azure File Sync18

  • Click on Add Server Endpoint

Azure File Sync19

Add Server Endpoint

  • Register Server
  • Path
  • Cloud Tearing : How much free space you want.

Azure File Sync20

  • Your Cloud Endpoint is created.Azure File Sync21
  • Verify your Cloud point is Healthy
  • Azure File Sync22
  • Verify the Files in Azure File Share and you have Successfully Deploy the File sync Server.
  • Azure File Sync23

 

 

 

Azure File Sync Server Overview

 

What is Azure File Sync?

  • Azure File sync server help us to manger the file server centralized without downtime.
  • It will sync the files to azure and manage your Files cache to on-premises/Azure to provide the access or share across the Globe.

As per Microsoft :

  • Azure File Sync (preview) allows us to centralize our organization’s file shares in Azure Files without giving up the flexibility, performance, and compatibility of an on-premises file server.

  • It does this by transforming our Windows Servers into a quick cache of your Azure File share.

  • We can use any protocol available on Windows Server to access your data locally (including SMB, NFS, and FTPS) and we can have as many caches as you need across the world.

Azure File Sync terminology

Storage Sync Service

  • Storage Sync Service is the top-level Azure resource representing Azure File Sync and Storage Sync Service resource is a peer of the Storage Account resource. It can be deployed into Azure Resource Groups.
  • Need top level of Storage accounts is required because the storage sync services can create sync relationship with multiple Storage accounts via multiple sync Groups .
  • A subscription can have multiple Storage Sync Service resources deployed.

Sync Group

  • Sync Group are the set of files for sync topology which will have sets of file which you want to manage wit Azure file share.
  • Ex: If you have 2 distinct sets of file then you need to create Two sync Groups and need to add endpoint to each.
  • Storage Sync services can hosted as many Sync Groups as you need.

Registered Server

  • Registered Server object represents a trust-relationship between Our On-Premises server (or cluster) and the Storage Sync Service.
  • We can register as many servers to a Storage Sync Service instance as we want to add
  • Server (or cluster) can only be registered with one Storage Sync Service at any given time.

Azure File Sync agent

Azure File sync 3 services which is running in background.

  • FileSyncSvc.exe:
  • Background Windows service Which is  responsible for monitoring changes on Server Endpoints and for initiating sync sessions to Azure.
  • StorageSync.sys:  Azure File Sync file system filter, which is responsible for tiering files to Azure Files (when cloud tiering is enabled).
  • PowerShell management cmdlets: PowerShell cmdlets tha  we use to interact with the Microsoft.StorageSync Azure resource provider.
  • We can find these at the following (default) locations:
    • C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.PowerShell.Cmdlets.dll
    • C:\Program Files\Azure\StorageSyncAgent\StorageSync.Management.ServerCmdlets.dll

      Azure File Sync  OS Compatibility

      Version Supported SKUs Supported deployment options
      Windows Server 2016 Datacenter and Standard Full (server with a UI)
      Windows Server 2012 R2 Datacenter and Standard Full (server with a UI)

      File system features :

    • Feature Support status Notes
      Access control lists (ACLs) Fully supported Windows ACLs are preserved by Azure File Sync, and are enforced by Windows Server on Server Endpoints. Windows ACLs are not (yet) supported by Azure Files if files are accessed directly in the cloud.
      Hard links Skipped
      Symbolic links Skipped
      Mount points Partially supported Mount points might be the root of a Server Endpoint, but they are skipped if they are contained in a Server Endpoint’s namespace.
      Junctions Skipped
      Reparse points Skipped
      NTFS compression Fully supported
      Sparse files Fully supported Sparse files sync (are not blocked), but they sync to the cloud as a full file. If the file contents change in the cloud (or on another server), the file is no longer sparse when the change is downloaded.
      Alternate Data Streams (ADS) Preserved, but not synced
    • Feature Supported BY File Sync: 
    • Windows Server Failover Clustering is supported in Azure File Sync for the “File Server for general use not for Clustered Share Volume.
    • Data Deduplication

    • Azure File Sync supports Windows Server Data Duplication enabled on the volume.
    • Encryption solutions

      • BitLocker encryption
      • Azure Rights Management Services (Azure RMS) (and legacy Active Directory RMS)
    • Azure File Sync is known not to work with:

      • NTFS Encrypted File System (EFS)

 

File Server Migration to Azure Using Azcopy Utility

What is AzCopy ?

Azcopy is command line utility designed to copy the data from Microsoft azure Blob, Files, Table Storage using the simple command line .

Below are the scenario we can use the Azcopy Utility.

  • On-premises File server to Azure File Storage Vise-versa.

  • Between Azure storage Accounts.

  • Between two different subscription Azure storage accounts.

  • We can copy the data Form Classic (ASM) mode to ARM model.

  • We can download/Upload and copy  the Blob ,File, Table (Export and Import) storage using the Azcopy Command.

  • Resume interrupted operations

It is buildup with .Net framework and can be use in  windows and Linux platform.

 How to Download  & Install the Azcopy Utility ?

 Please download the Azcopy Command line utility using the below link.

Please do copy and paste the below URL in the browse after that it will automatically download the Azcopy Utility.

 http://aka.ms/downloadazcopy(DownloadAzCopy)

  • Once the We will download the setup.

  • Right Click on MicrosoftAzurestorageTool and Run the As in administrator.

  • We will get the welcome Page and then click Next

Installtion 1

  • Accept the End-User License Agreement and Click Next.

Installtion 2

  • Select the  Destination folder we want to keep the installation files.Click Next.

installtion 3

  • We will get the Azcopy installation page, Click on Installation  and Install the AzCopy Utility.

installtion 4

  • Once it is install , It is install Click on Finish and now your Azcopy utility is installed on your Windows system.

installtion 5

Method 1:-

Once It is installed you can search on your PC Azcopy and open Run as Administrator.

 

Open Azcopy storate command

You will get below Command line utility to use to migrate the files, download the blobs etc for storage accounts.

  • Azutilites

Method-2

  • Open a CMD Command and then go to Azcopy location :

  • C:\Program Files (x86)\Microsoft SDKs\Azure\AzCopy\

  • Run the Azcopy Command.CMD azcopy

Migrating On_premises File to Azure File Storage Accounts Using Azcopy

Step 1: Create the Storage account

  • Login to Azure portal (https://portal.azure.com) using the Azure subscription Credentials.
  • Click on + Sign :
  • Click on Storage ;
  • Select the Storage accounts-Blob,File,Table,Storage:
  • Provide the Name of Storage as per our organization standard:
  • Select the Deployment model:
  • Account Kind:
  • Performance :
  • Replications:
  • Secure Transfer :
  • REsourceGroup and Location We want create the storage accounts:

Storage account Creation.jpg

  • Once the Storage Account is created , Please create the File Storage accounts.
  • We can also move the data to Azure Container as well if required.

Note: Please make sure all the .Vhd File has to move to azure blob container under Page blob if you are planning  t0 use the .Vhd file for customized or Specialized image. 

Step 2: Create the File Storage

Click on the Files

File storage

  • Add the Fileshare

  • Provide the fileserver Name

  • Quota :100 GB.

Note: File storage can store the 5 TB Data  which is the limit by default for file storage.

File storage1

Click on the Properties and Copy the Sharepath (URL).

File storage2

Step -3 Accessing the Source Key

  • Select the Storage account
  • Go to Settings
  • Select the Access Key  and Copy the Primary access Key
  • keep the information on notepad.

Source key.jpg

 

Step-4 Run the AzCopy Command in Azcopy utilities.

Please do use the below command to move the files to azure file servers.

AzCopy /Source:E:\Rcloudweb(Your On-premises server location) /Dest:https://Fileserver.file.core.windows.net/rcloudweb/(Azure File storage location) /DestKey:key of your storage Account /S(switch is used to copy the complete folder)

Please find the below Example Screenshot of Azcopy command which is successfully run.

Azcopy Command.jpg

Step-5 Migrating Files Verification.

As you can see below i have successfully migrated my file and folders successfully.

Verfication..jpg

 

Copy across file shares

AzCopy /Source:https://rcloudweb1.file.core.windows.net/rcloudweb1/ /Dest:https://rcloudweb2.file.core.windows.net/rcloudweb2/ /SourceKey:key1(Rcloudweb1 storage access key) /DestKey:key2 (Rcloudweb2 storage access key)/S

File Download

AzCopy /Source:https://rcloudweb.file.core.windows.net/rcloudweb/rcloudweb1/ /Dest:C:\rcloudweb /SourceKey:key (Rcloudweb storage access key) /Pattern:abc.txt

Download all files

AzCopy /Source:https://rcloudweb.file.core.windows.net/rcloudweb/ /Dest:C:\rcloudweb /SourceKey:key (Rcloudweb storage access key) /S

Copy single blob within Storage account

AzCopy /Source:https://rcloudweb1.blob.core.windows.net/rcloudweb1 /Dest:https://rcloudweb2.blob.core.windows.net/rcloudweb2 /SourceKey:key(Rcloudweb1 storage access key)/DestKey:key (Rcloudweb2 storage access key)/Pattern:rcloudfile.txt

For  More Azure Azcopy Command , you can got to Microsoft azcopy documents by following below links.

https://docs.microsoft.com/en-us/azure/storage/common/storage-use-azcopy

Create & manage Azure Storage account

How to Create Storage account

1: Sign in to the Azure portal.

2: On the Hub menu Click on search then search storage ->select  Storage -> Storage account.

storage account0

3: Enter a name of  your storage account as per your organization standard Name.

4: Specify the deployment model to be used: Resource Manager or Classic.

Resource Manager is the recommended deployment model .

5: Select the type of storage account: General purpose or Blob storage.

“If General purpose was selected, then specify the performance tier: Standard or Premium. The default is Standard.”

6: Select the replication option for the storage account: LRS, GRS, RA-GRS, or ZRS. The default is RA-GRS. For more details on Azure Storage replication.

Note: Pleas follow my blog to understand the storage and LRS, GRS, RA-GRS, or ZRS.  https://rcloudweb.wordpress.com/2017/06/21/azure-storage-account-overview-easy-to-understand/

7:  Please Select the subscription in which you want to create the new storage account.

8: Specify a new resource group or select an existing resource group. For more information on resource groups

9: Select the geographic location for your storage account: Ex- East US, Central US, West US etc.

10: Click Create to create the storage account.

storage account1

11: Select to pin to Dashboard if you want your services would be shown to Azure dashboard after creating .

Storage account endpoints: 

Azure account Endpoint are useful for the accessing the blob services,Table Services,Queue services & File services to access the data , Share the Data etc.

YourStorageAccountName = Storage account Name provided by you while creating the storage Account  and it will follow the naming convention as per Storage services blew.

Blob service: http://YourStorageAccountName.blob.core.windows.net

Table service: http://YourStorageAccountName.core.windows.net

Queue service: http://YourStorageAccountName.queue.core.windows.net

File service: http://YourStorageAccountName.file.core.windows.net

Manage your storage account

Once the We have created the storage account the please look it the Storage account settings in Details below

Overview:  It will show all the storage accounts and there usage etc details.

It will show your all the Storage account types like : Blob storage, Tables storage, File  storage  and Queue storage. While clicking on those storage you can access these  sub storage .

storage account3

Azure storage oveview

Activities Logs: Activities logs are the just like a events logs of your services or It will show complete activity logs on your storage account.

activity logs

Access Control (IAM) : It is Role based access authentication for storage accounts , If you want some from you team to manage the storage accounts or you want to restricts the access to other department that you can add that user in IAM and limited the access to particular user.

Access Control

Tags: Tags are name/value pairs that enable you to categorize resources and view consolidated billing by applying the same tag to multiple resources and resource groups.

tags

Diagnose  and Solve Problem:  It is MS azure Knowledgebase solution , It is collection of common scenarios solution where we can go through the solution and try to fix the issue Common Scenario  are below and more you can find in azure portal.

  • I can’t delete my storage account
  • Move Data to, from, or within Azure Storage
  • Need help with Import/Export
  • My VM/Disk is slow My storage service is slow

Diagnose and Solve Problems

Access Keys:- Use access keys to authenticate your applications when making requests to this Azure storage account. Store your access keys securely – for example, using Azure Key Vault – and don’t share them. We recommend regenerating your access keys regularly. You can found two access keys so that you can maintain connections using one key while regenerating the other.

Access key are used to access the Azure storage account and it components : File storage, Blob Storage etc.

access keys

Configuration : The cost of your storage account depends on the usage and the options you choose below.

If we want to change the configuration then we can change while selecting the below option .

Performance : We can chooses Standard and Premium storage accounts basses on the organization needs.

Secure Transfer: IF you wan to transfer data or files securely then please enable this option.

Replication : You can change the Replication option like LRS,ZRS,GRS,RA-GRS

Configuration

shared access signature : A shared access signature (SAS) is a URI that grants restricted access rights to Azure Storage resources. You can provide a shared access signature to clients who should not be trusted with your storage account key but whom you wish to delegate access to certain storage account resources. By distributing a shared access signature URI to these clients, you grant them access to a resource for a specified period of time

Note: Basically it is used for the development work and if you want to share some Development data or API work to client with restricted access please try this.

Shared access Signature

Properties : Storage account properties is basically show what is configuration you have choose while creation of storage account : like: location, Name , Resource ID etc.

properties

Automation Script:  Automate deploying resources with Azure Resource Manager templates in a single, coordinated operation. Define resources and configurable input parameters and deploy with script or code

“If you want to create the Create the storage account  using JASON then u can try this option.”

Automation Script

For Blobs, File, Tables and queue storage properties and configuration will add in next Blog.