Azure Storage Account Immutability (Part 4/4): Conclusion
In the last 3 articles, the basic of Storage Account immutability feature, using Time based retention policy and Legal Hold immutability were discussed.
In this final article of this series, the summary of Time based retention and Legal Hold immutability policy would be discussed. In addition, a pictorial representation of possible options to configure both the Time based retention & Legal Hold immutable policies across all the scopes would be given for easy understanding. Following are the articles in this series for quick reference.
Azure Storage Account Immutability : Basics
Azure Storage Account Immutability : Time Based Retention
Azure Storage Account Immutability : Legal Hold Based Retention
Summary of concepts discussed:
- Azure Storage Account immutability refers to the ability to prevent editing and deleting the Storage Blobs and optionally the versions of each Blob.
- Azure provides Storage Immutability through 2 options:
- Time Based Retention — Prevents editing & deleting Blob and optionally its versions for a defined time (anywhere between 1 day to 400 years).
- Legal Hold — Prevent editing & deleting Blob and optionally its versions when the retention period is unknown. - Azure Storage Immutability could be set at,
- Blob Version level a.k.a Version level immutability
- Blob level a.k.a Container level immutability - Both Time based retention and Legal hold policies could be applied at Blob level & Blob version levels.
- Blob version level immutability scope requires enabling,
- Blob versioning at Account level and
- Blob version immutability either at Account Level or at specific container level.
— Blob version immutability at Account level could only be set when creating an account; existing Account could not be updated. Once set at Account level, the option is enabled for all the containers in the account and it could not be disabled at Container level.
— Blob version immutability at Container level could be set either while creating a container or by migrating an existing Container.
- If blob version immutability is not enabled at Account level, then it needs to be enabled at Container level to set policies at blob version level.
- Once Blob version immutability is enabled at Account level, a default time retention for blob/version could be set at Account level. This value would be used as the default time based retention policy for blob/version across all the Containers within the account.
- Once Blob version immutability is enabled either at Account level or Container level, a default time retention for blob/version could also be set at Container level. This value would be used as the default time based retention policy for blob/version in the specific container and it would override the time based retention policy at Account level.
- Once Blob version immutability is enabled either at Account level or Container level, the Legal Hold policy could not be enabled at Container level. The option would be disabled. However, the Legal Hold policy is enabled to configure at blob/version level.
- No matter the availability of default time based retention policy at Account Level and/or Container level, the time based retention shall be directly configured at blob/version level if blob version immutability is enabled either at Account level or at specific Container level.
- In addition to enabling Time based retention, Azure also allows enabling Legal policy based immutability at blob/version level. - Blob container level immutability scope requires disabling Blob version immutability setting at Account & Container level.
- Define a Time based retention policy at every container level where the blobs needs to achieve immutability. This time based retention policy would be applied for all the blobs uploaded to the specific container and the blobs uploaded would be immutable for the configured number of days.
- In addition to enabling Time based retention, Azure also allows enabling Legal policy based immutability Container level.
Visual representation of possible combinations of Storage Account Immutability policies & Scopes supported:
Possible combinations of policies, scopes & storage account configurations:
If you have come this far, I thank you for taking your time to understand the concepts around Azure Storage Account Immutability.
Happy Learning !
