Azure Storage Account Versioning: Time-Based Retention and More

Azure Storage Account versioning is a powerful feature that allows you to store multiple versions of your data. This is especially useful for applications that require data consistency and integrity, such as financial transactions or medical records.

With Azure Storage Account versioning, you can retain previous versions of your data for a specified period, which is set to 7 days by default. This means that if you make changes to your data, the previous version will be retained for 7 days, allowing you to revert back to it if needed.

You can also customize the retention period to suit your needs, which is a great feature for applications that require longer retention periods. For example, if you need to retain previous versions for 30 days, you can simply update the retention period in your Azure Storage Account settings.

To configure version-level time-based retention policies, you need to enable blob versioning for your storage account.

Enabling blob versioning may have a billing impact, so consider this before proceeding.

To learn how to enable blob versioning, check out the article on how to enable and manage blob versioning.

Azure Storage Account Versioning is a powerful feature that allows you to keep track of different versions of a blob in a container. This feature is part of the data protection strategy provided for Azure.

You can enable version-level immutability support only when you create a new storage account, and it can't be disabled after it's enabled. To enable it in the Azure portal, follow the steps outlined in the documentation.

Version-level immutability is automatically enabled when you check the box on the Data protection tab. It also automatically checks the box for Enable versioning for blobs. This means you don't have to worry about manually enabling versioning.

If you have a large number of versions per blob, it can increase the latency for blob listing operations. Microsoft recommends maintaining fewer than 1000 versions per blob to avoid this issue.

Blob versioning is available for standard general-purpose v2, premium block blob, and legacy Blob storage accounts. However, storage accounts with a hierarchical namespace enabled for use with Azure Data Lake Storage aren't currently supported.

Here's a quick rundown of how blob versioning works:

By using Azure Storage Account Versioning, you can ensure compliance with regulations, experiment without fear of losing original data, and recover from accidental deletions or changes. It's like having a digital library where different versions of a document are stored, ready to be accessed when needed.

You can configure a time-based retention policy on a blob version to maintain its immutability for a specified interval. This policy can be applied to the current version of a blob, a previous version, or inherited from a default policy on the storage account or container.

There are three options for configuring a time-based retention policy: configuring a default policy on the storage account or container, configuring a policy on the current version of the blob, or configuring a policy on a previous version of a blob.

Here are the three options for configuring a time-based retention policy:

To configure a time-based retention policy, you can use the Azure CLI or PowerShell commands, such as the az storage blob immutability-policy set command or the Set-AzStorageBlobImmutabilityPolicy command.

A default time-based retention policy is a great way to automatically apply a retention period to all objects in a storage account or container. This policy can be configured on the storage account or container level, and it will apply to all objects within that scope unless overridden by a policy on an individual blob version.

You have three options for configuring a default time-based retention policy: you can configure it on the storage account, container, or both. If you configure it on the storage account, it will apply to all containers within that account. If you configure it on the container, it will apply to all blobs within that container.

To configure a default time-based retention policy, you can use the Azure portal or Azure CLI. In the Azure portal, you can navigate to the storage account or container, and then click on the "Properties" tab. From there, you can click on the "Default time-based retention policy" section and configure the policy as needed.

Here are the three options for configuring a default time-based retention policy:

By configuring a default time-based retention policy, you can ensure that all objects within a storage account or container have a consistent retention period, making it easier to manage and maintain your data.

You can configure a retention policy on the current version of a blob, which can override a default policy configured on the storage account or container. This policy is inherited by any previous versions created after it's configured.

To configure a retention policy on the current version of a blob, navigate to the container that contains the target blob and select Access policy from the context menu. If a time-based retention policy has already been configured for the previous version, it appears in the Access policy dialog.

You can add a policy by selecting Time-based retention policy and specifying the retention interval. The policy is then applied to the current version of the blob.

You can also view the properties for a blob to see whether a policy is enabled on the current version. Select the blob, then navigate to the Overview tab and locate the Version-level immutability policy property.

Here's a summary of how to configure a retention policy on the current version of a blob:

Keep in mind that a policy may either be configured for the current version, or may be inherited from the blob's parent container if a default policy is in effect.

Restoring Previous Versions is a crucial part of managing your data in Azure Blob Storage. You can restore a previous version of a blob by navigating to the Versions tab, locating the target version, and choosing Access policy. If a time-based retention policy has already been configured for the previous version, it appears in the Access policy dialog.

To restore a soft-deleted version, you can use the Undelete Blob operation, which restores all soft-deleted versions associated with the blob. This operation is only available within the designated retention period.

You can also configure a time-based retention policy on a previous version of a blob, which protects against deletion while it is in effect. To do this, you can follow these steps:

It's worth noting that restoring soft-deleted versions doesn't automatically promote any version to become the current version. To restore the current version, you must first reinstate all soft-deleted versions and then utilize the Copy Blob operation to create a new current version.

Here are the options for configuring a time-based retention policy for a blob version:

Remember, the soft delete feature provides an added layer of protection by retaining deleted blobs and their versions for a specified retention period, minimizing data loss by accidental deletion.

Data protection is a top priority when it comes to Azure Storage Account Versioning. To ensure optimal protection for your blob data, Microsoft recommends enabling all of the following data protection features: blob versioning, container soft delete, and blob soft delete.

Blob versioning automatically maintains previous versions of a blob, allowing you to restore an earlier version to recover your data if it's erroneously modified or deleted. Container soft delete restores a deleted container, while blob soft delete restores a deleted blob, snapshot, or version.

To prevent accidental deletion of the storage account, configure a lock on the storage account resource. This is especially important, as blob versioning cannot help you recover from the accidental deletion of a storage account or container.

Here are the recommended data protection features in a concise list:

To ensure your blob data is properly protected, it's essential to configure the right data protection features. Microsoft recommends enabling blob versioning, container soft delete, and blob soft delete as part of a comprehensive data protection strategy.

Blob versioning automatically maintains previous versions of a blob, allowing you to restore an earlier version if it's erroneously modified or deleted. This is especially useful when you need to recover data quickly.

Container soft delete can restore a container that's been deleted, giving you a safety net in case of accidental deletions. Blob soft delete, on the other hand, allows you to restore a blob, snapshot, or version that's been deleted.

To prevent accidental deletion of a storage account, consider configuring a lock on the storage account resource. This will prevent unauthorized modifications to the storage account.

Here's a summary of the recommended data protection configuration:

By following these best practices, you'll be well on your way to protecting your blob data and ensuring business continuity in case of data loss or corruption.

Soft Delete provides an added layer of protection by retaining deleted blobs and their versions for a specified retention period, minimizing data loss by accidental deletion.

This feature is part of the recommended data protection configuration for storage accounts, along with blob versioning and container soft delete.

To enable soft delete for blobs, you need to enable blob versioning and container soft delete as well.

If you delete a blob, the current version transitions to a previous version, and no new version is created.

The soft delete retention period doesn't apply to the deleted blob, but deleting a previous version initiates soft deletion for that specific version.

Soft-deleted versions are preserved until the soft delete retention period elapses, at which point they're permanently deleted.

Here are the steps to delete a previous version of a blob:

Soft delete offers additional protection for deleting blob versions, and it's essential to understand how it works together with blob versioning.

If you delete or overwrite a current version that has had its tier explicitly set, then any previous versions of the soft-deleted blob are billed at full content length.

The soft delete feature can be enabled when creating a new storage account, and it's not possible to disable it after it's enabled.

To delete a soft-deleted blob or version, you need to wait until the soft delete retention period has elapsed, at which point it's permanently deleted.

Enabling blob versioning can result in additional data storage charges to your account. You'll be billed for unique blocks of data across the blob, its versions, and any snapshots it may have.

Blob versions and snapshots are billed at the same rate as active data. If you haven't changed a blob or version's tier, you're charged for unique blocks of data.

If you've changed a blob or version's tier, you're billed for the entire object, regardless of future tier changes. This is true even if the blob and version are eventually in the same tier again.

Enabling versioning for data that is frequently overwritten may result in increased storage capacity charges and increased latency during listing operations. To mitigate these concerns, store frequently overwritten data in a separate storage account with versioning disabled.

If you have not explicitly set the blob tier for any versions of a blob, then you're charged for unique blocks or pages across all versions, and any snapshots it may have. Data that is shared across blob versions is charged only once.

Here's a breakdown of the billing behavior when the blob tier is not explicitly set:

Updating a blob when versioning is enabled will result in additional unique blocks and additional charges. To minimize costs, call update operations on block blobs so that they update the least possible number of blocks.

The following operations can lead to additional charges when updating a blob with versioning enabled:

To avoid these additional charges, use the Put Block and Put Block List operations, which provide fine-grained control over blocks.

Shared Access Signatures (SAS) offer a flexible way to grant limited access to Azure Storage resources, enhancing security and control. This approach is ideal for situations where you need to delegate access to blob versions.

To create a SAS token for operations on a specific blob version, you'll need to specify the version ID (bv) in the signed resource type. This ensures that the token only grants access to the intended version.

You can use a SAS to delegate access to blob versions, and the signed resource for a blob version is represented by the symbol 'bv'. This allows you to create a SAS token for operations on a specific version.

Authorize operations on blob versions using one of the following methods: Azure role-based access control (Azure RBAC), shared access signature (SAS), or account access keys with Shared Key.

Azure RBAC is recommended by Microsoft, and you can use it to grant permissions to a Microsoft Entra security principal, which provides superior security and ease of use.

You can use a shared access signature (SAS) to delegate access to blob versions, specifying the version ID for the signed resource type bv, representing a blob version, to create a SAS token for operations on a specific version.

To delete a blob version, special permissions are required, and the process involves using one of the above-mentioned methods.

Here are the three methods to authorize operations on blob versions, along with their respective requirements: