What Is Azure Blob Storage?
Azure Blob Storage is Microsoft's object storage service for unstructured data such as images, videos, log files, backups, and documents. Unlike a file system with folders, data lives as blobs inside flat containers, addressed directly over HTTPS by URL, which makes it the backbone for serving web assets and archiving petabytes of data cheaply.
Cricket analogy: Think of a container as a stadium's video archive room: every ball bowled in a match is stored as a single labeled clip (a blob), retrieved instantly by URL rather than digging through a filing cabinet of tapes.
Blob Types: Block, Append, and Page Blobs
Azure Blob Storage supports three blob types tuned for different access patterns. Block blobs, the default, are made of individually managed blocks and are ideal for streaming media, documents, and backups, supporting sizes up to roughly 190.7 TiB. Append blobs are optimized for append-only operations like logging, where new blocks are added to the end without rewriting existing data. Page blobs store random-access data in 512-byte pages and back Azure IaaS virtual machine disks (VHDs), since VMs need random reads and writes rather than sequential writes.
Cricket analogy: Block blobs are like a highlights reel assembled from separate clips of each over; append blobs are like a live ball-by-ball commentary feed that only ever adds the next delivery; page blobs are like a scorecard that gets random cells updated as wickets fall.
# Create a resource group, storage account, and container, then upload a blob
az group create --name rg-blobdemo --location eastus
az storage account create \
--name blobdemostorage01 \
--resource-group rg-blobdemo \
--location eastus \
--sku Standard_LRS \
--kind StorageV2
az storage container create \
--account-name blobdemostorage01 \
--name images \
--auth-mode login
az storage blob upload \
--account-name blobdemostorage01 \
--container-name images \
--name product-photo.jpg \
--file ./product-photo.jpg \
--auth-mode loginAccess Tiers: Hot, Cool, Cold, and Archive
Blob Storage offers Hot, Cool, Cold, and Archive access tiers that trade storage cost against access cost and latency. Hot is optimized for data accessed frequently, Cool and Cold suit infrequently accessed data retained for at least 30 or 90 days respectively, and Archive is the cheapest option for data that can tolerate hours of rehydration latency, such as long-term compliance records. Lifecycle management policies can automatically move blobs between tiers or delete them based on rules like 'move to Cool after 30 days of no access'.
Cricket analogy: Hot tier is like this season's match footage kept courtside for instant replay reviews; Archive is like footage from a 1983 World Cup final stored in a vault, needing hours to retrieve for a documentary.
Use a lifecycle management policy to automate tiering: for example, rules that move blobs to Cool after 30 days of inactivity and to Archive after 180 days can cut storage costs significantly for logs and backups without any manual intervention.
Security and Access Control
By default, containers and blobs are private and require authentication such as an Azure AD identity, a storage account key, or a Shared Access Signature (SAS) token that grants time-limited, scoped permissions. Role-Based Access Control (RBAC) roles like Storage Blob Data Reader or Storage Blob Data Contributor let you grant least-privilege access at the subscription, resource group, storage account, or container level, while SAS tokens are useful for granting temporary access to external clients without sharing account keys.
Cricket analogy: It's like a stadium issuing time-stamped media passes (SAS tokens) that let a specific broadcaster into the press box for just today's match, rather than handing out a master key to the entire ground.
Never enable public (anonymous) read access on a container without a deliberate reason and review — a misconfigured public container is one of the most common cloud data-exposure incidents, since anyone with the URL can read every blob inside it.
- Blob Storage holds unstructured data (images, video, backups, logs) as objects inside flat containers, addressed by URL.
- Block blobs suit general files and streaming; append blobs suit logging; page blobs back IaaS VM disks (VHDs).
- Access tiers — Hot, Cool, Cold, and Archive — trade storage cost against retrieval cost and latency.
- Lifecycle management policies automate moving or deleting blobs across tiers based on age or last-access rules.
- Access is controlled via Azure AD/RBAC roles, account keys, or time-limited, scoped SAS tokens.
- Containers and blobs are private by default; public anonymous access should be enabled only deliberately and reviewed carefully.
- Blob Storage is the foundation for static website hosting, data lake analytics, and backup/archive workloads on Azure.
Practice what you learned
1. Which blob type is specifically optimized for append-only operations such as logging?
2. Which blob type backs Azure IaaS virtual machine disks (VHDs)?
3. Which access tier is best suited for compliance data that can tolerate hours of retrieval latency?
4. What is the primary purpose of a Shared Access Signature (SAS) token?
5. By default, when a new container is created in Azure Blob Storage, what is its public access level?
Was this page helpful?
You May Also Like
Azure Storage Account Types
A guide to choosing between general-purpose and premium Azure storage account kinds, and how performance and redundancy tiers interact.
Azure Storage Redundancy Options
A comparison of Azure Storage's LRS, ZRS, GRS, and GZRS redundancy options and how to choose between them.
Azure Files Basics
An introduction to Azure Files managed file shares, covering SMB/NFS protocols, Azure File Sync, and share tiers.