Microsoft Azure Storage Configuration

  • Updated on Sep 12, 2025
  • Published on Feb 19, 2025
  • 13 minute(s) read
  • ED
  • GP
  • CD
 Prev Next

Overview

This document describes how to deploy a Nasuni environment in Microsoft Azure, using Azure Blob storage to store your file data.

Prerequisites

This document assumes that the customer has a Microsoft Azure subscription and a pre-configured Identity and Access Management (IAM) user account with an Access key and Secret access key for use with an Azure Storage account.

Therefore, this document DOES NOT cover the following:

Tiers

Azure Storage has four performance tiers: Hot, Cool, Cold, and Archive. Nasuni only supports online tiers, which are Hot, Cool, and Cold. Storing production data in the Cool tier is recommended for most volumes since it offers the best price point without impacting Edge Appliance performance. Nasuni does not currently support Azure Archive Storage, which is an offline tier.

Tiering storage accounts

Azure supports setting a default storage account access tier, Hot or Cool, for GPv2 or blob storage accounts. Newly created storage accounts default to the Hot tier. To make the Cool tier the default, customers must change the account's default access tier from Hot to Cool. Changing the tier of an existing storage account is transparent to Nasuni and non-disruptive to Edge Appliance operations.

Note: Unlike Hot and Cool, Cold is not offered as a selectable option during storage account configuration process. Customers would need to configure lifecycle management rules that are based on access tracking. When enabled, access tracking checks when a blob was last accessed. A rule can be defined to move objects that have not been accessed for 90 days or greater.  Enabling this feature incurs an additional cost.

Transitioning objects with life cycle management

Nasuni’s snapshots are used to identify new or changed data. Using snapshots offers data protection by enabling you to recover files deleted in error or to restore an entire file system. The Nasuni general guideline is to create a lifecycle rule to expire previous object versions after a specified time. This ensures that you continue to realize cost savings from deleted files, as well as on any volumes that have a Snapshot Retention policy.

Nasuni supports transitioning objects with Azure Storage lifecycle management to Cool and Cold storage tiers in order to optimize storage costs. See Configure a lifecycle management policy for details.

Nasuni supports an immutable storage policy if you preserve your snapshots for the length of the policy. Additionally, if you do not want Nasuni to prune (delete) objects, then Nasuni recommends using the default Snapshot Retention option, ‘All snapshots’, to retain all snapshots indefinitely. For more information, see Snapshot Retention.

Important: If you select a 30-day retention policy (for example), this does not mean that no data older than 30 days is retained. It actually mean that dataolder than 30 days becomes eligible for removal, but this removal might not occur for a considerable time.

Important: No data is removed unless the customer deletes the data from their system first, regardless of how old the data is.

Azure Blob Versioning Support

Azure Storage Object Versioning helps protect your data from accidental deletion or overwrite, and Nasuni fully supports this feature as part of its global file services platform. However, it is imperative that customers understand how versioning works before enabling it. If not configured carefully, versioning can result in uncontrolled storage growth, inaccurate data metrics, and significantly higher costs.

This guide provides best practices for implementing object versioning, whether directly in Azure or with Nasuni to ensure it is applied safely, effectively, and cost-efficiently. The following list outlines the recommended practices and guidance customers should follow. Use versioning for specific scenarios, such as:

  • Recovering from accidental deletes or overwrites.

  • Protecting against compromised containers.

  • Meeting compliance or auditing requirements.

  • When enabling versioning, do not accept the default setting of keeping all versions. Instead, configure lifecycle rules to automatically delete older versions after 14 days, as this can result in rapid storage growth and unexpected costs.

The following information provides additional guidance that might be helpful:

  • In Azure, deletes are recorded as previous versions, not as traditional soft deletes.

  • Without lifecycle management, deleted objects remain in storage indefinitely, consuming space and skewing metrics.

  • Always pair versioning with a lifecycle management policy to automatically clean up older versions.

  • Regularly review metrics for storage consumption by object versions.

  • Adjust lifecycle rules if versioned data starts driving up costs.

  • Real-world example: By tuning lifecycle settings, storage usage was reduced from 130 TB to 70 TB, resulting in a nearly 50% reduction in costs.

For more information, see Azure Blob Versioning.

Recovering a deleted storage account

It is possible to recover a deleted storage account if the following conditions are true:

  • It has been less than 14 days since the storage account was deleted.

  • You created the storage account with the Azure Resource Manager deployment model. Storage accounts created using the Azure Portal satisfy this requirement. The older classic storage accounts do not.

  • A new storage account with the same name has not been created since the original storage account was deleted.

For more information, see Recover a deleted storage account.

Azure Private Endpoints

Nasuni supports Azure Private Endpoints that rely on the DNS layer to resolve the private endpoint's IP address.

It is essential to configure your DNS settings correctly to resolve the private endpoint IP address to the fully qualified domain name (FQDN) of the connection string.

Existing Microsoft Azure services might already have a DNS configuration for a public endpoint. This configuration must be overridden to connect using your private endpoint.

The network interface associated with the private endpoint contains the information to configure your DNS. The network interface information includes FQDN and private IP addresses for your private link resource.

You can use the following options to configure your DNS settings for private endpoints:

  • Use a private DNS zone. You can use private DNS zones to override the DNS resolution for a private endpoint. A private DNS zone can be linked to your virtual network to resolve specific domains.

  • Use your DNS forwarder (optional). You can use your DNS forwarder to override the DNS resolution for a private link resource. Create a DNS forwarding rule to use a private DNS zone on your DNS server, which is hosted in a virtual network.

Note: Using the Host file on the Nasuni Edge Appliance is not supported.

Note: Nasuni’s default Host URL endpoint for Nasuni’s Azure Cloud Credentials should not be changed.

Azure services DNS zone configuration

Azure creates a canonical name DNS record (CNAME) on the public DNS. The CNAME record redirects the resolution to the private domain name. You can override the resolution with the private IP address of your private endpoints.

Your applications do not need to change the connection URL. When resolving to a public DNS service, the DNS server resolves to your private endpoints. The process does not affect Nasuni Edge Appliances.

For Azure services, use the recommended zone names as described in Azure services DNS zone configuration.

DNS configuration scenarios

The FQDN of the services resolves automatically to a public IP address. To resolve to the private IP address of the private endpoint, change your DNS configuration.

DNS is a critical component that enables the application to work correctly by successfully resolving the private endpoint IP address.

Based on your configuration requirements, the following scenarios are available with DNS resolution integrated:

Azure storage account considerations

If you do not already have a storage account in Microsoft Azure, create a storage account in Microsoft Azure by following these steps:

Advanced

  • Nasuni recommends ensuring that both "Require secure transfer for REST API operations & "Enable storage account key access" are enabled.

  • Nasuni recommends using the minimum TLS Version 1.2.

  • Nasuni recommends using the Cool Access tier.

    Note: Nasuni also supports Azure Cold Storage. To use Azure Cold Storage, configure Lifecycle Management rules   that are based on access tracking. When enabled, access tracking checks when a blob was last accessed. A rule can be defined to move objects that have not been accessed for 90 days or longer. Enabling this feature might incur additional cost.

Networking

  • Nasuni recommends using “Public network access“; however, depending on your security policy, select the appropriate option.

  • Nasuni recommends using “Enable from all networks“ for the Public Network access scope.

    Note: Consider where Edge Appliances are deployed and how they access the storage account. For example, via the Internet, Azure ExpressRoute, or a VPN connection to Azure. Most customers select the default, “Enable from all networks”.

  • Configure other Networking features according to your needs.

Data protection

Note: Nasuni recommends enabling Soft Delete for all storage accounts being used for Nasuni volumes. If data is deleted, instead of the data being permanently lost, the data changes to a soft deleted state and remains available for a configurable number of days.

  • Nasuni recommends enabling Soft Delete on the following and specifying at least 30 days to retain data:

    • For Blobs

    • For Containers

    • For File shares

    For more information, see Soft delete for containers.

  • Configure other Data Protection features according to your needs.

Tip: It is possible to recover a deleted storage account. For details, see Recovering a deleted storage account.

Configuration

Nasuni provides a Nasuni Connector for Microsoft Azure.

If you are required to change Cloud Credentials regularly, follow these steps, preferably outside office hours:

  1. Obtain new credentials. Credentials typically consist of a pair of values, such as Access Key ID and Secret Access Key, Account Name and Primary Access Key, or User and Secret.

  2. On the Cloud Credentials page, edit the cloud credentials to use the new credentials. The change in cloud credentials is registered on the next snapshot that contains unprotected data. Manually performing a snapshot also causes the change in cloud credentials to be registered, even if there is no unprotected data for the volume.

  3. After each Edge Appliance has performed such a snapshot, the original credentials can be retired with the cloud provider.

Warning: Do not retire the original credentials with the cloud provider until you are certain that they are no longer necessary. Otherwise, data might become unavailable.

To configure Nasuni for Microsoft Azure, follow these steps:

  1. Ensure that port 443 (HTTPS) is open between the Nasuni Edge Appliance and the object storage solution.

  2. From the NMC, navigate to Account.

  3. Select Cloud Credentials.

  4. Select Add New Credentials, then select Microsoft Azure from the drop-down menu.

  5. Enter the following credential information:

    1. For Microsoft Azure, enter the following information:
      Name: A name for this set of credentials, which is used for display purposes, such as ObjectStorageCluster1.
      Account Name: The Microsoft Azure Storage Account Name for this set of credentials.
      Primary Access Key: The Microsoft Azure Primary Access Key for this set of credentials.
      Hostname: The hostname for the location of the object storage solution. Use the default setting: blob.core.windows.net.
      Verify SSL Certificates: Use the default On setting.
      Filers (on NMC only): The target Nasuni Edge Appliances.

    2. For Microsoft Azure Gov Cloud, enter the following information:
      Name: A name for this set of credentials, which is used for display purposes, such as ObjectStorageCluster1.
      Account Name: The Microsoft Azure Storage Account Name for this set of credentials.
      Primary Access Key: The Microsoft Azure Primary Access Key for this set of credentials.
      Hostname: The hostname for the location of the object storage solution. Use: blob.core.usgovcloudapi.net.
      Verify SSL Certificates: Use the default On setting.
      Filers (on NMC only): The target Nasuni Edge Appliances.

Warning: Be careful changing existing credentials. The connection between the Nasuni Edge Appliance and the container could become invalid, causing loss of data access. Credential editing is to update access after changes to the account name or the access key on the Microsoft Azure system.

  1. Click Save Credentials.

You are now ready to begin adding volumes to the Nasuni Edge Appliance.

Adding volumes

To add volumes to your Nasuni system, follow these steps:

  1. Click Volumes, followed by Add New Volume. The Add New Volume page appears.

  2. Enter the following information for the new volume:
    Name: Enter a human-readable name for the volume.
    Cloud Provider: Select Windows Azure Platform.
    Credentials: Select the Cloud Credentials that you defined in step 5 for this volume, such as ObjectStorageCluster1.
    For the remaining options, choose the most appropriate settings for the volume.

  3. Click Save.

You have successfully created a new volume on your Nasuni Edge Appliance.

Appendix: Creating a lifecycle policy (Optional)

Azure Blob Storage lifecycle management provides a rule-based policy system that enables you to transition blob data to the appropriate access tiers or expire data at the end of its lifecycle. A lifecycle policy acts on a base blob, and optionally on the blob's versions or snapshots.

Important: Nasuni does not support the Archive tier. Do not select this choice.  

You can add, edit, or remove a lifecycle management policy using the Azure portal, PowerShell, Azure CLI, or an Azure Resource Manager template.

For details and procedures, see the Configure a lifecycle management policy.

The following procedure describes the List View of the Azure portal.

To create lifecycle rules, follow these steps:

  1. From the Azure portal, navigate to your Storage account.

  2. Click Data management.

  3. Under Data management, click Lifecycle Management to view or change lifecycle management policies. The Lifecycle Management pane appears.

  4. Click the List View tab.

  5. Click Add a rule. The Add a rule pane appears.

  6. Enter a name for your rule in Rule name. The Rule name can only contain letters and numbers, and must be between 1 and 256 characters.

  7. For the Rule scope, select Apply rule to all blobs in your storage account.

  8. For the Blob type, select Block blobs. Block blobs are the most common type of blob and are used to store large amounts of data. Block blobs are made up of blocks that can be uploaded in parallel. Each block can be a maximum of 100 MB in size. A block blob can contain up to 50,000 blocks. Block blobs are optimized for both read and write operations, providing efficient data transfer.

  9. For Blob subtype, select Base blobs.

  10. (Optional) Select Snapshots if you want to enable snapshots of your blobs.

    Important: Do not select Versions. Nasuni does not write object versions.

  11. Click Next.

  12. If you have selected Base blobs as the Blob subtype, the Base blobs pane appears. You can use this pane to define one or more rules.

  13. Define a rule by completing these areas:

    1. Select the type of date that you want to use to transition data: Last modified or Created.

    2. Enter how many days ago in the More than (days ago) box.
      For example, if you want this rule to apply to data last modified 90 days ago, enter 90.

    3. Select the action to perform if the data satisfies the condition, from the following:

    Move to archive storage: Do not select this choice. Nasuni does not support the Archive tier.

    Delete the blob: Do not select this choice. If the blob is deleted, then the objects cannot be restored via Nasuni.

    Move to cool storage: Keep infrequently accessed data for at least 30 days.

    Move to cold storage: Keep rarely accessed data for at least 90 days.

  14. (Optional) To add further conditions, click Add conditions. Define the condition rules, similar to the rules in step 13.

  15. Click Next.

  16. If you selected Snapshots, the Snapshots pane appears. Define the snapshot management rules, similar to the rules in step 13.

  17. Click Next.

  18. Do not select the Versions pane. Nasuni does not write object versions.

  19. Click Add. The new rule appears in the list of rules.

You can enable, disable, edit, and delete any of the rules.

Appendix: Prefix-Based Tiering of Objects (Optional)

Customers who understand their workflow pattern requirements and wish to reduce storage costs can use object prefix-based rules to move their data objects to a less expensive tier, while maintaining all metadata objects in the standard tier. This is particularly useful for use cases involving filesystem search, indexing, scanning, or classification. It is essential to note that deep scan workflows incur a cost if the data is retrieved before the default time allowed by the storage class. For more information, see Optimize costs by automatically managing the data lifecycle.

Nasuni Data objects have the prefix designation of ‘1.’ (the number One followed by a period) at the beginning of the object name. Prefix-based rules can be implemented to migrate this object type to a lower-cost online tier.

Related articles