0
0
Azurecloud~15 mins

Blob containers and access levels in Azure - Deep Dive

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Overview - Blob containers and access levels
What is it?
Blob containers are like folders in Azure Storage where you keep your files called blobs. Access levels control who can see or change these blobs. You can set containers to be private, public for blobs only, or public for the whole container. This helps protect your data or share it easily depending on your needs.
Why it matters
Without access levels, anyone could see or change your files, which can cause data leaks or loss. Access levels let you safely share files with the right people or keep them private. This balance is important for security and collaboration in cloud storage.
Where it fits
You should know basic cloud storage concepts and Azure Storage accounts first. After this, you can learn about blob lifecycle management and advanced security like shared access signatures.
Mental Model
Core Idea
Blob containers organize files in Azure Storage, and access levels decide who can see or change those files.
Think of it like...
Think of a blob container as a mailbox box where you put letters (files). Access levels are like the mailbox lock: private means only you have the key, public blob means anyone can read letters but not open the box, and public container means anyone can open the box and read all letters.
┌─────────────────────────────┐
│        Blob Container       │
│  ┌───────────────┐          │
│  │ Blob 1 (file) │          │
│  │ Blob 2 (file) │          │
│  └───────────────┘          │
│                             │
│ Access Levels:              │
│  [Private] - Only owner     │
│  [Blob Public] - Anyone reads blobs only
│  [Container Public] - Anyone reads container and blobs
└─────────────────────────────┘
Build-Up - 7 Steps
1
FoundationUnderstanding Blob Containers
🤔
Concept: Introduce what a blob container is in Azure Storage.
A blob container is a way to group blobs (files) inside an Azure Storage account. Think of it as a folder where you store your files. Each container has a unique name and holds blobs like images, documents, or videos.
Result
You can organize and manage your files in Azure Storage by grouping them into containers.
Knowing that containers group blobs helps you organize data logically and manage permissions at the container level.
2
FoundationBasics of Access Levels
🤔
Concept: Explain the three main access levels for blob containers.
Azure blob containers have three access levels: 1. Private: Only the storage account owner can access blobs. 2. Blob Public: Anyone can read blobs if they know the URL, but cannot list blobs. 3. Container Public: Anyone can read blobs and list all blobs in the container. These control who can see or list your files.
Result
You understand how access levels control visibility and listing of blobs.
Access levels are the first line of defense for your data's privacy and sharing.
3
IntermediateSetting Access Levels in Azure Portal
🤔Before reading on: do you think setting access levels requires coding or can it be done via Azure Portal? Commit to your answer.
Concept: Show how to change access levels using Azure Portal.
In Azure Portal, go to your Storage Account > Blob service > Containers. Select a container, then click 'Change access level'. Choose Private, Blob, or Container and save. This updates who can access your blobs without writing code.
Result
You can control access levels easily through the Azure Portal interface.
Knowing how to set access levels in the portal empowers quick security changes without developer help.
4
IntermediateAccess Levels Impact on URL Sharing
🤔Before reading on: if a container is private, can someone access a blob by its URL? Commit to yes or no.
Concept: Explain how access levels affect sharing blob URLs.
If a container is private, blob URLs require authorization and won't work for public users. If set to Blob Public, anyone with the blob URL can view it. Container Public lets users list all blobs and access them. So, access level controls if URL sharing works publicly.
Result
You understand when blob URLs can be shared publicly or not.
Knowing this prevents accidental data exposure by sharing URLs from private containers.
5
IntermediateUsing Access Levels with Azure CLI
🤔Before reading on: do you think access levels can be set only in the portal or also via command line? Commit to your answer.
Concept: Teach how to set access levels using Azure CLI commands.
Use the command: az storage container set-permission --name --public-access --account-name Replace with 'off' (private), 'blob', or 'container'. This lets you automate access control.
Result
You can script access level changes for automation or repeatability.
Knowing CLI commands enables managing access levels in automated workflows or scripts.
6
AdvancedSecurity Risks of Public Access Levels
🤔Before reading on: do you think public access levels expose data to everyone or only trusted users? Commit to your answer.
Concept: Discuss risks of setting containers to public access.
Public access means anyone on the internet can read blobs or list container contents. This can lead to data leaks if sensitive files are stored. Always review if public access is necessary and consider alternatives like shared access signatures for controlled sharing.
Result
You recognize when public access can cause security issues.
Understanding risks helps prevent accidental exposure of sensitive data in production.
7
ExpertAccess Levels and Shared Access Signatures
🤔Before reading on: do you think shared access signatures depend on container access levels or work independently? Commit to your answer.
Concept: Explain how shared access signatures (SAS) provide fine-grained access regardless of container access level.
Shared access signatures are tokens that grant temporary, specific permissions to blobs or containers. Even if a container is private, a SAS token can allow read or write access for a limited time. This lets you share files securely without making containers public.
Result
You can securely share blobs with controlled access using SAS tokens.
Knowing SAS tokens work independently of access levels unlocks flexible, secure sharing strategies.
Under the Hood
Azure Storage manages blob containers as namespaces within a storage account. Access levels are metadata settings on containers that the Azure Storage service checks on every request. When a request comes in, the service verifies if the caller has permission based on the container's access level and any authorization tokens. Public access levels allow anonymous requests to read blobs or list containers, while private requires authentication.
Why designed this way?
Access levels were designed to balance ease of sharing and security. Early cloud storage needed simple ways to share files publicly without complex permissions. The three-level model offers a clear, easy-to-understand approach. More granular control is provided by SAS tokens to avoid overexposing data.
┌───────────────────────────────┐
│       Azure Storage Service    │
│ ┌───────────────┐             │
│ │ Blob Container│             │
│ │ Access Level  │             │
│ │ (Private/Blob/│             │
│ │ Container)    │             │
│ └──────┬────────┘             │
│        │ Checks access level   │
│        ▼                      │
│ ┌───────────────┐             │
│ │ Request       │             │
│ │ Authorization │             │
│ └───────────────┘             │
│        │                      │
│        ▼                      │
│ ┌───────────────┐             │
│ │ Allow or Deny │             │
│ │ Access        │             │
│ └───────────────┘             │
└───────────────────────────────┘
Myth Busters - 4 Common Misconceptions
Quick: Does setting a container to 'Blob Public' allow anyone to list all blobs? Commit to yes or no.
Common Belief:If a container is set to 'Blob Public', anyone can list all blobs inside it.
Tap to reveal reality
Reality:'Blob Public' allows anyone to read blobs if they know the URL, but does NOT allow listing all blobs in the container. Only 'Container Public' allows listing.
Why it matters:Assuming 'Blob Public' allows listing can lead to overestimating exposure and missing needed security controls.
Quick: Can a shared access signature (SAS) token override a container's private access level? Commit to yes or no.
Common Belief:If a container is private, no one can access blobs even with a SAS token.
Tap to reveal reality
Reality:SAS tokens grant temporary, specific access regardless of container access level, allowing access to private containers securely.
Why it matters:Misunderstanding SAS tokens limits secure sharing options and leads to unnecessary public exposure.
Quick: Does setting a container to 'Container Public' mean anyone can modify blobs? Commit to yes or no.
Common Belief:'Container Public' access lets anyone read and modify blobs.
Tap to reveal reality
Reality:'Container Public' only allows anonymous read and list access; write or delete requires authentication.
Why it matters:Confusing read access with write access can cause unnecessary fear or misconfiguration.
Quick: If a blob is inside a private container, can you make the blob itself public? Commit to yes or no.
Common Belief:Individual blobs can have different access levels than their container.
Tap to reveal reality
Reality:Blob access is controlled by the container's access level; individual blobs cannot override container privacy.
Why it matters:Trying to make blobs public inside private containers leads to confusion and failed sharing attempts.
Expert Zone
1
Public access levels do not affect write permissions; write always requires authentication.
2
Changing a container's access level does not affect existing SAS tokens; they remain valid until expiry.
3
Azure Storage logs and metrics can help detect unintended public access or suspicious activity.
When NOT to use
Avoid using public access levels for sensitive or regulated data. Instead, use private containers combined with shared access signatures or Azure Active Directory-based access control for fine-grained security.
Production Patterns
In production, containers are usually private. SAS tokens are generated dynamically for temporary access. Public access is reserved for static content like website assets or public datasets. Access levels are managed via infrastructure as code or automation scripts for consistency.
Connections
File System Permissions
Similar pattern of controlling who can read, write, or list files.
Understanding blob container access levels is easier when you relate it to familiar file system permissions on your computer.
Network Firewalls
Both control access but at different layers: firewalls control network traffic, access levels control data visibility.
Knowing how access levels complement network security helps design layered defenses in cloud environments.
Library Book Lending
Both involve controlled sharing of resources with rules on who can access and for how long.
Thinking of SAS tokens like library cards that grant temporary borrowing rights clarifies secure, time-limited access.
Common Pitfalls
#1Making container public without realizing it exposes all blobs.
Wrong approach:az storage container set-permission --name mycontainer --public-access container --account-name mystorage
Correct approach:az storage container set-permission --name mycontainer --public-access off --account-name mystorage
Root cause:Misunderstanding the difference between blob and container public access and the security implications.
#2Sharing blob URLs from private containers expecting public access.
Wrong approach:Sharing https://mystorage.blob.core.windows.net/privatecontainer/myblob.jpg without SAS token
Correct approach:Generate SAS token and share https://mystorage.blob.core.windows.net/privatecontainer/myblob.jpg?
Root cause:Not knowing that private containers require authorization even if you have the blob URL.
#3Assuming SAS tokens grant unlimited access.
Wrong approach:Creating SAS tokens without expiry or limited permissions
Correct approach:Create SAS tokens with specific permissions and expiry times to limit access
Root cause:Lack of understanding of SAS token scope and security best practices.
Key Takeaways
Blob containers group files in Azure Storage and control access to those files.
Access levels (private, blob public, container public) determine who can read or list blobs.
Public access should be used carefully to avoid accidental data exposure.
Shared access signatures provide secure, temporary access independent of container access levels.
Managing access levels properly is essential for balancing security and sharing in cloud storage.