Microsoft has 3 types of storage accounts:
- General Purpose (V1 or GPV1)
- General Purpose V2 (GPV2)
- Blob Storage
In late 2017 Microsoft simplified its storage offerings by providing a single storage account that includes all features and storage options. General Storage v2 is the new account type that supports all storage types (Block Blobs, Page Blobs, Files, Queues and Tables) and all storage tiering options (Hot, Cold and Archive).
General-purpose v2 storage accounts support the latest Azure Storage features and incorporate all of the functionality of general-purpose v1 and Blob storage accounts. Microsoft recommends using a general-purpose v2 storage account for most scenarios. Source: Microsoft.
General Purpose v2 is the default for new storage accounts in the Azure Portal should be used in preference of dedicated Blob Accounts moving forward.
Should you require the ability to upload and/or manage files and folders in your Azure storage account directly use the Azure Storage Explorer software for Windows, Mac or Linux.
More information here https://azure.microsoft.com/en-gb/features/storage-explorer/.
Azure has 54 regions worldwide and is available in over 140 countries (December 2018). Consider your primary location with regard to both latency and relevant security legislation.
Microsoft's Storage Service Encryption (SSE) is enabled by default using Microsoft Managed Keys for all Azure Blob and File Storage services.
All data that is written into Azure storage will be automatically encrypted by Storage service prior to persisting, and decrypted prior to retrieval. Encryption and decryption are completely transparent to the user. All data is encrypted using 256-bit AES encryption, also known as AES-256—one of the strongest block ciphers available. Storage Service Encryption.
Data in your Microsoft Azure storage account is always replicated to ensure durability and high availability.
"Azure Storage replication copies your data so that it is protected from planned and unplanned events ranging from transient hardware failures, network or power outages, massive natural disasters, and so on. You can choose to replicate your data within the same data center, across zonal data centers within the same region, and even across regions." Azure Storage Replication
Read-Only Geo Redundant Storage (RA-GRS) currently provides the highest uptime for read requests by providing read-only access to your data in a secondary location, in addition to replication across two regions. RA-GRS is the default option when new storage accounts are created and provides a 99.99% availability SLA for read requests.
The "Secure transfer required" option enhances the security of your storage account by only allowing requests to the account from secure (HTTPS) connections, this includes when accessing your storage account APIs. Any requests using HTTP will be rejected when secure transfer is enabled.
Note By default, the "Secure transfer required" option is disabled. We suggest enabling it.
Azure enables you to uses network access rules to secure your storage accounts to a specific set of supported networks. When network rules are configured, only applications requesting data from over the specified set of networks can access a storage account.
Note: By default, storage accounts accepts connections from clients on any network.
To increase security:
- Change the default network rule to Deny
- Selectively permit required Azure Virtual Networks
- Selectively permit required public IP ranges (e.g. on-premise locations)