Azure Storage – Immutable Storage in Azure Blob Storage

Immutable storage prevents the update or delete of blob objects for a retention period however, it allows to read and create blob objects. The blob objects state changes into WORM (Write once, Read Many) when immutable storage policies are enabled.

This feature is available for general-purpose v2, general-purpose v1, Blob Storage, and Block Blob Storage accounts in all Azure regions. Immutable Storage feature is available at the container level. Immutable storage supports two types of policies —

Time-based retention policy: This policy allows read and create blob objects for the retention period, but update and delete are not allowed. Once the retention period expires, then blobs can be deleted, but not overwritten.

Legal hold policy: This option can be used if we don’t know how long the retention period would be. Legal hold policy is a tag-based policy so need to create at least one tag to enable the policy. When this policy is enabled then allows read and create blob objects as long as a tag(s) is/are associated with the policy, but update and delete are not allowed.

To implement, these policies and see the behavior we would need the Azure Storage Account and a blob container. I have already created a general-purpose V2 Storage Account <ttimmutable> and a container <container1> within the storage account.

1. Blob Storage Create

Apply Time-Based Policy

To apply Time-based retention policy, we need to perform below steps —

  1. Go to container within storage account
  2. Select Access policy from the setting section
  3. Click on “Add policy” under Immutable blob storage
  4. Select time-based retention
  5. Set retention period as 1 day. The acceptable values are 1 to 146000 days for retention period.
  6. Check allow additional protection appends.
  7. Click OK to create the Time-based policy.
2. Option Navigation
3. Create Time-based retention policy

Once time-based retention policy is created, then it would be in unlocked state. The unlocked state is useful during development phase because you can delete.

Once policy is locked, it cannot be deleted however, only extensions to retention period will be allowed and blob updates and deletes cannot be done.

To lock the policy. Right-click the ellipsis (…), and select the Lock Policy.

4. Unlock State
5. Edit time-based retention

Apply Legal Hold Policy

To apply Legal Hold policy, we need to perform below steps —

  1. Go to container within storage account
  2. Select Access policy from the setting section
  3. Click on “Add policy” under Immutable blob storage
  4. Select Legal Hold
  5. Enter the tag
  6. Click OK to create the Legal Hold policy
6. Create legal hold policy
7. Legal Hold State

To clear a legal hold, remove the applied legal hold tag by clicking on the (…) and select edit.

Now, we have created Time-based retention policy and Legal Hold policy.

Demo

Let’s navigate to the container and try to upload some blobs. Now first time you would be able to upload blobs. But, when you try to upload same blob files again by selecting “Overwrite if files already exist”, then it would not be uploaded due to the immutable policies.

8. Upload Blob
9. Blob Listing
11- Again upload Blob

Now, if you try to delete any of the file from the container you cannot delete due to policies.

10. Blob Delete
12. Blob Listing

So, we have seen about immutable blobs and its policies which allow to have additional protection for blob containers.

If you have any suggestions/feedback, please put them in the comment box.

Happy Learning đŸ™‚

Leave a Reply

Up ↑

%d bloggers like this: