Design 6: Storage Redundancy (LRS vs GRS)

Summary

This design demonstrates Storage Redundancy.

Topology: The Storage Account is in a Spoke VNet (Private Link).

1. Key Design Decisions (ADR)

ADR-01: Redundancy

Decision: GZRS (Geo-Zone-Redundant Storage).
Rationale: Maximum durability (16 9s). Copies data across 3 Zones in East US, AND to West US.

2. High-Level Design (HLD)

+--------------+           +--------------------------+           +--------------+
|  User / App  |           |        HUB VNet          |           |  SPOKE VNet  |
|              |           |      (DNS Resolver)      |           |  (Data)      |
+------+-------+           +------------+-------------+           +------+-------+
       |                                |                                |
       v                                | (Peering)                      |
+------+-------+                        v                                v
|  Private     |           +------------+-------------+           +------+-------+
|  Endpoint    |---------->| Private DNS Zone         |<--------->|  Storage     |
|              |           | (privatelink.blob)       |           |  Account     |
+--------------+           +--------------------------+           +------+-------+

3. Low-Level Design (LLD)

                               PRIMARY REGION (East US)
+-----------------------------------------------------------------------+
| HUB VNet: vnet-hub (10.0.0.0/16)                                      |
|   +-----------------------+                                           |
|   | Private DNS Zone      |                                           |
|   +-----------|-----------+                                           |
|               |                                                       |
|               v (Peering)                                             |
+---------------|-------------------------------------------------------+
                |
+---------------|-------------------------------------------------------+
| SPOKE VNet: vnet-storage-spoke (10.1.0.0/16)                          |
|   +-----------------------+                                           |
|   | Subnet: PrivateLink   |                                           |
|   | [Private Endpoint]    |                                           |
|   +-----------|-----------+                                           |
|               |                                                       |
|               v                                                       |
|   +-----------------------+                                           |
|   | Storage Account       |                                           |
|   | (GZRS)                |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

                               SECONDARY REGION (West US)
+-----------------------------------------------------------------------+
| DR STRATEGY                                                           |
|   +-----------------------+                                           |
|   | Storage Replica       |                                           |
|   | (Async Copy)          |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

4. Component Rationale

GZRS: Best of both worlds (ZRS + GRS).

5. Strategy: High Availability (HA)

ZRS: Survives a Zone failure.

6. Strategy: Disaster Recovery (DR)

GRS: Survives a Region failure.

7. Strategy: Backup

Blob: Soft Delete, Versioning, Point-in-Time Restore.

8. Strategy: Security

Private Link: No public access.

9. Well-Architected Framework Analysis

Reliability: Excellent.
Security: High.
Cost Optimization: Medium. GZRS is expensive.
Operational Excellence: High.
Performance Efficiency: High.

10. Detailed Traffic Flow

1. Write: App writes to blob.core.windows.net.

2. DNS: Resolves to Private IP 10.1.1.5.

3. Commit: Data written to 3 Zones in East US.

4. Replicate: Data replicated to West US.

11. Runbook: Deployment Guide (Azure Portal)

Phase 1: Create Resource Group & VNet

1. Create Resource Group: rg-design06-storage. Region: East US.

2. Create VNet:

* Name: vnet-storage-spoke.

* Address space: 10.1.0.0/16.

* Subnet: snet-privatelink (10.1.1.0/24).

3. Peering: Peer vnet-storage-spoke to vnet-hub.

Phase 2: Create Storage Account (GZRS)

1. Search: "Storage accounts" -> + Create.

2. Resource group: rg-design06-storage.

3. Name: stgzrscorp[uniqueid].

4. Region: East US.

5. Performance: Standard.

6. Redundancy: Geo-zone-redundant storage (GZRS).

* *Note: This ensures data is in 3 AZs in East US AND replicated to West US.*

7. Advanced tab:

* Enable storage account key access: Enabled (or Disabled if using Entra ID only).

8. Networking tab:

* Public network access: Disabled (We will use Private Link).

9. Create.

Phase 3: Configure Private Link

1. Go to the new Storage Account.

2. Networking -> Private endpoint connections -> + Private endpoint.

3. Resource group: rg-design06-storage.

4. Name: pe-storage-blob.

5. Target sub-resource: blob.

6. Virtual Network: vnet-storage-spoke.

7. Subnet: snet-privatelink.

8. DNS integration:

* Integrate with private DNS zone: Yes.

* Zone: privatelink.blob.core.windows.net.

9. Create.

Phase 4: Verify Access

1. From a VM in the Hub (or peered Spoke):

* Run nslookup stgzrscorp.blob.core.windows.net.

* It should resolve to 10.1.1.x (Private IP).

2. Attempt to access via Public Internet (Browser):

* It should fail (403 Forbidden) because Public Access is disabled.

Phase 5: Test Failover (DR)

1. Go to Storage Account -> Redundancy.

2. Note the Last Sync Time.

3. Prepare for customer-managed failover: (This is a disruptive action, usually for testing or real disaster).

* *Note: In a real scenario, you would click "Prepare for failover".*