Azure Blob Storage: Object Storage Across Hot, Cool, Cold, and Archive Tiers
Blob Storage is Azure’s object storage service for unstructured data: images, videos, log files, database backups, ML training datasets, web assets, and anything else that does not fit neatly into a database row or file share directory. It scales to exabytes with no configuration, charges per gigabyte stored, and handles redundancy automatically based on the replication option you select.
Every object lives inside a container, inside a storage account. The storage account is the billing and access-control boundary. Containers are flat namespaces — there are no real folders, but the / character in blob names creates the illusion of a directory tree in the portal and most SDKs.
Real-World Scenario
A news media company publishes 500 articles per day, each with several images. Recent articles (last 30 days) are served directly to readers and must load quickly — Hot tier. Articles from the past year are occasionally accessed for references — Cool tier. Articles older than a year are kept for legal compliance but rarely read — Archive tier. A lifecycle management policy handles the transitions automatically, cutting storage costs by over 60% compared to keeping everything on Hot.
Blob Types
Blob Type | Description | Typical Use----------------|--------------------------------------|------------------------------Block Blob | Optimised for sequential upload | Images, video, backups, docs | Up to 190.7 TB per blob | | Uploaded in blocks, committed at end |----------------|--------------------------------------|------------------------------Append Blob | Only append operations allowed | Log files, audit trails | Each append is atomic | Cannot overwrite existing data----------------|--------------------------------------|------------------------------Page Blob | Random read/write, 512-byte pages | Azure VM OS and data disks | Up to 8 TB | IaaS disk backingPage blobs underpin Azure managed disks. If you are building an application, you will almost always use block blobs. Append blobs are niche but perfect for scenarios where you need to write log entries from multiple concurrent writers without locking.
Access Tiers
Tiers control the cost trade-off between storage price and access price. Frequently read data should stay Hot; rarely read data should move to cooler tiers:
Tier | Storage Cost | Access Cost | Min Storage Duration | Retrieval Latency-----------|--------------|-------------|----------------------|------------------Hot | Highest | Lowest | None | MillisecondsCool | Lower | Higher | 30 days | MillisecondsCold | Lower still | Higher | 90 days | MillisecondsArchive | Lowest | Highest | 180 days | Hours (rehydrate first)Archive tier is offline — blobs cannot be read until rehydrated to Hot or Cool, which takes 1–15 hours depending on the rehydration priority (High priority: up to 1 hour; Standard: up to 15 hours).
Tiers are set at the individual blob level (not the container or account level), giving fine-grained control.
Lifecycle Management Policy
Lifecycle policies run daily and move or delete blobs based on age and last-access time:
{ "rules": [ { "name": "media-tiering", "enabled": true, "type": "Lifecycle", "definition": { "filters": { "blobTypes": ["blockBlob"], "prefixMatch": ["media/"] }, "actions": { "baseBlob": { "tierToCool": { "daysAfterModificationGreaterThan": 30 }, "tierToArchive": { "daysAfterModificationGreaterThan": 365 }, "delete": { "daysAfterModificationGreaterThan": 2555 } }, "snapshot": { "delete": { "daysAfterCreationGreaterThan": 90 } } } } } ]}Lifecycle policies apply to containers, blob prefixes, or blob index tags. Combining prefix filters with tag filters lets you apply different retention rules to different content categories stored in the same container.
SAS Tokens
A Shared Access Signature (SAS) grants time-limited, scoped access to a storage resource without sharing the account key. There are three types:
SAS Type | Scope | Best For-------------------|-----------------|------------------------------------------Account SAS | Entire account | Service-level operations (rarely used)Service SAS | One service | Delegate read/write on one containerUser Delegation SAS| One service | Same as Service SAS but signed with Azure AD credentials (preferred)User Delegation SAS is the most secure option — it does not expose the account key and can be revoked by revoking the user’s Azure AD token or the delegation key.
from azure.storage.blob import ( BlobServiceClient, generate_blob_sas, BlobSasPermissions,)from datetime import datetime, timedelta, timezone
sas_token = generate_blob_sas( account_name="mystorageacct", container_name="media", blob_name="video/welcome.mp4", account_key="<account_key>", # or use user delegation key permission=BlobSasPermissions(read=True), expiry=datetime.now(timezone.utc) + timedelta(hours=2),)url = f"https://mystorageacct.blob.core.windows.net/media/video/welcome.mp4?{sas_token}"Versioning and Soft Delete
Enabling versioning creates an immutable snapshot of a blob every time it is overwritten or deleted. The current version is the live blob; previous versions are stored at a small additional cost and can be restored with a single API call.
Soft delete keeps deleted blobs for a retention period (1–365 days) before permanent removal. Versioning and soft delete together provide a strong safety net against accidental deletion and ransomware-style overwrites.
Blob History With Versioning-----------------------------v1 (2024-01-10) <- overwrittenv2 (2024-03-15) <- overwrittenv3 (2024-06-01) <- CURRENT
After delete:v3 moved to soft-deleted state (retained 30 days)Restore: az storage blob undeleteStorage Redundancy Options
Redundancy | Copies | Failure Protection | Notes------------|--------|-----------------------------|------------------------LRS | 3 | Single rack failure | CheapestZRS | 3 | Data centre failure | Recommended for prodGRS | 6 | Regional outage (read-only) | RA-GRS adds read accessGZRS | 6 | Zone + regional outage | Best resilienceKey Interview Points
- Hot vs. Archive trade-off: Archive is not immediately readable. If you Archive a blob that needs to be read in an emergency, you must rehydrate it first (up to 15 hours on standard priority). Plan your tier strategy around actual access patterns.
- Tier at blob level: Unlike S3 storage classes, which are per-object and set at upload, Azure Blob tiers can be changed at any time on individual blobs after upload. This allows retroactive tiering.
- Immutability policies: Time-Based Retention and Legal Hold policies prevent any modification or deletion of blobs in a container, regardless of permissions. Used for regulatory compliance (SEC, FINRA, HIPAA).
- Static website hosting: Blob Storage can serve a static website directly from a
$webcontainer with a custom domain and CDN. No web server needed. - Data Lake Storage Gen2 vs. Blob Storage: ADLS Gen2 is Blob Storage with a hierarchical namespace enabled. The same storage account, same pricing, but directories become real objects and POSIX-style ACLs are supported.
Best Practices
- Enable versioning and soft delete on all production storage accounts — recovery from accidental deletion is much easier than explaining to stakeholders why data is gone.
- Prefer User Delegation SAS over Account SAS; it does not require storing or rotating the account key.
- Use blob index tags for content classification, then build lifecycle policies and metadata searches on those tags.
- Restrict public access at the storage account level; use Private Endpoints for services that need to access Blob Storage from within a VNet.
- Monitor ingress/egress and request counts with Azure Monitor to detect unexpected access patterns or cost spikes early.