Skip to main content
Jorge Bernhardt Jorge Bernhardt
  1. Posts/

How to set Immutable storage for Azure Blob storage

·801 words·4 mins· 100 views · 5 likes ·
Azure CLI Azure Cloud Shell Microsoft Microsoft Azure

Hi, today I want to talk to you about immutable storage. Immutable Storage is an Azure Blob Storage capability that allows you to store business-critical data in a WORM state (write once, read many). This state is set at the container level, and through policies, you can set time-based retention, extend retention intervals, and set and remove legal holds. These policies apply to all blobs in the container, both existing and new. Immutable storage supports two policy types:

Once explained the characteristics of the Azure Immutable storage we can begin this tutorial. In this post, I’ll show you how to list, create, update, lock, and extend immutability policies in your Azure Blob storage using Azure CLI.

Prerequisites

  • This tutorial assumes that you already have a Microsoft Azure account configured.
  • You can use an existing Storage Account, or you can create a new one. If you want to know how to create a Storage Account using PowerShell, check out this¬† link.
Azure CLI Workaround>

Azure CLI Workaround #

In this case, we will use Azure Cloud Shell, a browser-based shell built into Azure Portal. This allows us to use the Azure command-line tools (Azure CLI and Azure PowerShell) directly from a browser. If you want to know more about Azure Cloud Shell, check out this link. First, we define the characteristics of our environment and store the values in variables.

resourceGroupName="RG-DEMO-NE"
storageAccount="stoaccountcli"
container="importantfiles"
Time-based retention policy>

Time-based retention policy #

First, use the following command to list the commands available to work with the immutability policies.

az storage container immutability-policy \
--help

immutable policy

Gets the existing immutability policies>

Gets the existing immutability policies #

If you want to see the existing immutability policies, you should use the following command.

az storage container immutability-policy show \
--account-name $storageAccount \
--container-name $container
Creates an immutability policy>

Creates an immutability policy #

To create an immutability policy for a container, you should use the following command.

az storage container immutability-policy create \
--account-name $storageAccount \
--container-name $container \
--period 1

--period: The time period must be indicated in days.

immutable policy create
The immutability policies are always created with the unlock state.

Updates an immutability policy>

Updates an immutability policy #

As long as the state of the policy is unlocked, you can modify it. In the following example, the policy is modified to allow the creation of new blobs in the container.

az storage container immutability-policy create \
--account-name $storageAccount \
--container-name $container \
--allow-protected-append-writes

immutable policy cli

Set the Immutability Policy to Locked state>

Set the Immutability Policy to Locked state #

Important: Keep in mind that once the policy is established, its deletion is not allowed and you must wait for the period of time stipulated in the policy to be able to delete both the container and the storage account. To lock the immutability policies, we will first use the $etag variable to store the ETag value of the policy you want to lock and then use the following command to lock the policy.

etag=$(az storage container immutability-policy show \
--account-name $storageAccount \
--container-name $container \
--query "etag" \
-o tsv)

az storage container immutability-policy lock \
--account-name $storageAccount \
--container-name $container \
--if-match $etag

immutable policy lock

Extend the immutability Period>

Extend the immutability Period #

If you want to extend the policy period, use the following command. As for the lock command, you should use the ETag value of the policy.

etag=$(az storage container immutability-policy show \
--account-name $storageAccount \
--container-name $container \
--query "etag" \
-o tsv)

az storage container immutability-policy extend \
--account-name $storageAccount \
--container-name $container \
--if-match $etag \
--period 2

immutable policy extend

Legal holds Policy #

First, use the following command to list the commands available to work with the legal hold policies.

az storage container legal-hold \
--help

legal hold policy

Get the legal hold properties #

If you want to see the properties of existing legal hold policies, you should use the following command.

az storage container legal-hold show \
--account-name $storageAccount \
--container-name $container

legal hold show

Set a legal hold #

To set a legal retention policy you must use the following command. The --tag parameter is used as a named identifier, such as a case ID or event, to categorize and describe the purpose of the hold.

az storage container legal-hold set \
--account-name $storageAccount \
--container-name $container \
--tag "caseID1234"

legal hold set

Clear a legal hold #

Finally, to delete the policy, you must use the following command, indicating in your request the associated tags that you want to remove.

az storage container legal-hold clear \
--account-name $storageAccount \
--container-name $container \
--tag "caseID1234"

legal hold clear

Thanks for reading my post. I hope you find it useful.

If you want to know more about immutable storage, check out this link.