How to create highly available private storage account for company documents
Source: Dev.to
Introduction
Every company has data it simply cannot afford to lose or expose such as internal documents, financial records, HR files, department reports which live at the heart of how a business operates. But when your company spans multiple offices across different regions, keeping that data private, protected, and always available becomes a real challenge. This guide fixes all three problems which are private storage, high availability, and automated backup all step by step. What You’re Building ✅ A private storage account nobody can access without permission This is your company’s secure vault in the cloud. In Azure Portal, search for Storage accounts
Click + Create
Select your existing resource group Name it private plus a unique identifier (like private2026) Choose Azure blob storage for primary service Click Review
Then Create
Wait for deployment, then click Go to resource
Step 2: Set Up Geo-Redundant Storage (GRS)
One copy of your data is not enough. GRS keeps a second copy in a completely separate Azure region so that a regional outage doesn’t take your data with it. In your storage account, go to Data management → Redundancy
Select Geo-redundant storage (GRS) from the dropdown Click Save
Refresh page
You’ll now see two locations listed; your primary region and a secondary region. Your data lives in both. If one disappears, the other keeps your business running. Containers are how you organise files within your storage account. This one is strictly private. Go to Data storage → Containers
Click + Container
Set the name to private
Keep Public access level as Private (no anonymous access) Click Create
Step 4: Upload a File and Confirm It’s Private
Let’s test that privacy actually works. Click on your private container
Click Upload and choose any file from your computer Click Upload
Click on the uploaded file Copy the URL from the Overview tab
Open a new browser tab and paste the URL
You should see an error like “ResourceNotFound” or “Public access is not permitted.” That error is the correct result. Your file is private. 🔒 Your external partner needs to view one file for 24 hours. You don’t want to give them an account, a password, or permanent access. SAS tokens are the answer. A self-expiring link that works once, for a set time, then stops. Click on your uploaded file Go to the Generate SAS tab Set Permissions to Read only Check that the expiry is set to 24 hours from now Click Generate SAS token and URL
Copy the Blob SAS URL
Paste it in a new browser tab
The file loads! But exactly 24 hours later, the same link will not work. Files you haven’t touched in 30 days cost the same as files you use every day. That’s wasteful and this rule fixes it automatically. In your storage account, go to Data management → Lifecycle management
Click Add rule
Name it movetocool
Set the scope to Apply rule to all blobs in the storage account
Click Next
Keep Last modified selected Set **More than (days ago) **to 30
In the Then dropdown, select Move to cool storage
Click Add
Files sit in hot storage while active, then quietly move themselves to the cheaper cool tier after a month. Before setting up automatic replication, you need somewhere to receive the backup files. In your private storage account, go to Data storage → Containers
Click + Container
Name it backup
Keep the defaults and click Create
This container will receive automatic copies of your public website files. Your public website storage has files that need backing up. Instead of doing it manually, set up a replication rule that copies files automatically in the background. Go to your public website storage account (from your previous setup, check my older articles if you need guide) Navigate to Data management → Object replication
Click Create replication rules
Set Destination storage account to your private storage account
Set Source container to public
Set Destination container to backup
Click Create
From now on, any file uploaded to your public website container will automatically appear in your private backup container within a few minutes. Go to your public website storage account Upload any file to the public container
Wait 3-5 minutes Go back to your private storage account Open the backup container
Your file appears there automatically. You’ve got a live backup running in the background. ✅ Common Issues Seeing “Public access not permitted” error when testing: That’s correct, it means your privacy settings are working. Only your SAS URL should load the file. SAS URL not working: Check the expiry time, it may have already passed. Generate a new one. Replication not showing up in backup container: Give it 5-10 minutes. Object replication isn’t instant. If it still doesn’t appear after 15 minutes, verify both containers exist and the rule is enabled. Which department in your company would benefit most from this setup first? Finance, HR, or IT? Drop it in the comments, I’d love to know what you’re protecting.