Immutable storage prevents the update or delete of blob objects for a retention period however, it allows to read and create blob objects. The blob objects state changes into WORM (Write once, Read Many) when immutable storage policies are enabled.
This feature is available for general-purpose v2, general-purpose v1, Blob Storage, and Block Blob Storage accounts in all Azure regions. Immutable Storage feature is available at the container level. Immutable storage supports two types of policies —
Time-based retention policy: This policy allows read and create blob objects for the retention period, but update and delete are not allowed. Once the retention period expires, then blobs can be deleted, but not overwritten.
Legal hold policy: This option can be used if we don’t know how long the retention period would be. Legal hold policy is a tag-based policy so need to create at least one tag to enable the policy. When this policy is enabled then allows read and create blob objects as long as a tag(s) is/are associated with the policy, but update and delete are not allowed.
To implement, these policies and see the behavior we would need the Azure Storage Account and a blob container. I have already created a general-purpose V2 Storage Account <ttimmutable> and a container <container1> within the storage account.
Apply Time-Based Policy
To apply Time-based retention policy, we need to perform below steps —
- Go to container within storage account
- Select Access policy from the setting section
- Click on “Add policy” under Immutable blob storage
- Select time-based retention
- Set retention period as 1 day. The acceptable values are 1 to 146000 days for retention period.
- Check allow additional protection appends.
- Click OK to create the Time-based policy.
Once time-based retention policy is created, then it would be in unlocked state. The unlocked state is useful during development phase because you can delete.
Once policy is locked, it cannot be deleted however, only extensions to retention period will be allowed and blob updates and deletes cannot be done.
To lock the policy. Right-click the ellipsis (…), and select the Lock Policy.
Apply Legal Hold Policy
To apply Legal Hold policy, we need to perform below steps —
- Go to container within storage account
- Select Access policy from the setting section
- Click on “Add policy” under Immutable blob storage
- Select Legal Hold
- Enter the tag
- Click OK to create the Legal Hold policy
To clear a legal hold, remove the applied legal hold tag by clicking on the (…) and select edit.
Now, we have created Time-based retention policy and Legal Hold policy.
Demo
Let’s navigate to the container and try to upload some blobs. Now first time you would be able to upload blobs. But, when you try to upload same blob files again by selecting “Overwrite if files already exist”, then it would not be uploaded due to the immutable policies.
Now, if you try to delete any of the file from the container you cannot delete due to policies.
So, we have seen about immutable blobs and its policies which allow to have additional protection for blob containers.
If you have any suggestions/feedback, please put them in the comment box.
Happy Learning đŸ™‚
Leave a Reply