While preparing for the AZ-305: Designing Microsoft Azure Infrastructure Solutions exam, many candidates struggle with designing secure, multi-tenant storage solutions. In the enterprise world, this decision often hinges on regulatory encryption requirements vs. ease of key management and data access patterns. Let’s drill into a simulated migration scenario.
The Scenario #
Tailspin Manufacturing is a global enterprise specializing in precision equipment. Their new SaaS application stores sensitive user data separated by tenant and requires strict compliance with data encryption regulations. The security team mandates:
- Each individual user’s data must be encrypted using a unique key.
- All encryption keys must be customer-managed with Azure Key Vault integration.
- The storage solution must support multi-tenant blob storage access in Azure.
- The solution must fit into their hybrid governance model aligned with the Microsoft Cloud Adoption Framework, including Azure Policy enforcement.
Key Requirements #
Select the storage account and data type combination that meets these requirements.
The Options #
- A) Files stored in a Premium File Share storage account
- B) Blobs stored in a General-Purpose v2 storage account
- C) Blobs stored in an Azure Data Lake Storage Gen2 account
- D) Files stored in a General-Purpose v2 storage account
Correct Answer #
Option B: Blobs stored in a General-Purpose v2 storage account.
Step-by-Step Winning Logic #
- Security & Encryption: GPv2 storage accounts natively support Azure Storage Service Encryption with Customer-Managed Keys (CMK) stored in Azure Key Vault. This meets Tailspin’s requirement that all data be encrypted with customer keys under enterprise control.
- Granular Keying: Blob storage supports per-object encryption keys, enabling each user’s data to use a unique key, fulfilling multi-user key isolation.
- Performance & Cost: GPv2 offers the most flexible performance tiers and cost options for blob workloads, supporting growing data volumes efficiently.
- Governance: Azure Policy can enforce CMK use on GPv2 accounts and integrate with Tailspin’s enterprise hybrid monitoring and compliance toolset as defined by the Cloud Adoption Framework.
- Hybrid & Enterprise Alignment: This approach fits neatly with hybrid architectures where key vaults and policies may span on-premises and cloud environments.
💎 The Architect’s Deep Dive: Why Options Fail #
The Traps (Distractor Analysis) #
- Why not A (Premium File Share)? Azure Premium File Shares do not currently support customer-managed encryption keys nor per-user key encryption. This disqualifies them for mandated CMK requirements.
- Why not C (ADLS Gen2)? Although Data Lake Gen2 supports customer-managed keys, it primarily targets big data analytics workloads with hierarchical namespaces, and per-object key management is less granular and complex to enforce per user in multi-tenant SaaS scenarios.
- Why not D (Files in GPv2)? File shares in GPv2 do not support storing multiple users’ data with isolated keys nor customer-managed key encryption at the file level, making this option inadequate for Tailspin’s encryption governance.
The Architect Blueprint #
Mermaid Diagram illustrating the secure blob storage with CMK integration flow.
graph TD
User([Application User]) --> [SaaS Application Frontend]
[SaaS Application Frontend] --> [Azure Blob Storage (GPv2)]
[Azure Blob Storage (GPv2)] -. Encryption Key Request .-> [Azure Key Vault (CMK)]
[Azure Blob Storage (GPv2)] --> [Encrypted Blob Data]
style [Azure Blob Storage (GPv2)] fill:#0078D4,stroke:#333,color:#fff
style [Azure Key Vault (CMK)] fill:#5C2D91,stroke:#333,color:#fff
Diagram Note: The SaaS app writes multi-tenant user data as blobs encrypted with unique per-user Customer-Managed Keys retrieved from Azure Key Vault, ensuring compliance and governance.
The Decision Matrix #
| Option | Est. Complexity | Est. Monthly Cost | Pros | Cons |
|---|---|---|---|---|
| A) Premium File Share | Medium | Higher (Premium Tier) | Low latency for file access | No CMK support, lacks per-user key granularity |
| B) GPv2 Blob Storage | Medium-High | Variable (Standard/Hot) | Supports CMK with per-blob keys, flexible tiers | Requires key management setup and policy enforcement |
| C) ADLS Gen2 Blob | High | Variable (Analytic Workloads) | CMK supported, hierarchical namespace for analytics | Complex for per-user key encryption in SaaS scenario |
| D) GPv2 File Storage | Medium | Variable | Simple file share, low complexity | No CMK or per-user key granularity |
Real-World Practitioner Insight #
Exam Rule #
“For the exam, always pick General-Purpose v2 Storage with Blob service when you see multi-tenant encryption with customer-managed keys.”
Real World #
In practice, enterprises designing hybrid storage encryption enforce CMK usage via Azure Policy and ISSecurity Baselines while relying on GPv2 blobs for scalable multi-tenant SaaS workloads. Azure Data Lake Storage Gen2 is chosen primarily when advanced big data analytics and hierarchical namespaces are a priority.