Azure 存储帐户概述Azure storage account overview

Azure 存储帐户包含所有的 Azure 存储数据对象:Blob、文件、队列、表和磁盘。An Azure storage account contains all of your Azure Storage data objects: blobs, files, queues, tables, and disks. 存储帐户为你的 Azure 存储数据提供了一个唯一的命名空间,可以从世界上的任何位置通过 HTTP 或 HTTPS 访问该命名空间。The storage account provides a unique namespace for your Azure Storage data that is accessible from anywhere in the world over HTTP or HTTPS. Azure 存储帐户中的数据是持久的,高度可用、安全且可大规模缩放。Data in your Azure storage account is durable and highly available, secure, and massively scalable.

若要了解如何创建 Azure 存储帐户,请参阅创建存储帐户To learn how to create an Azure storage account, see Create a storage account.

存储帐户的类型Types of storage accounts

Azure 存储提供三种类型的存储帐户。Azure Storage offers three types of storage accounts. 每种类型支持不同的功能,并且具有自己的定价模型。Each type supports different features and has its own pricing model. 在创建存储帐户之前,需考虑到这些差异,以便确定最适合应用程序的帐户类型。Consider these differences before you create a storage account to determine the type of account that is best for your applications. 这三种类型的存储帐户是:The three types of storage accounts are:

  • 常规用途 v2 帐户:Blob、文件、队列和表的基本存储帐户类型。General-purpose v2 accounts: Basic storage account type for blobs, files, queues, and tables. 建议在大多数情况下使用 Azure 存储。Recommended for most scenarios using Azure Storage.
  • 常规用途 v1 帐户:Blob、文件、队列和表的旧帐户类型。General-purpose v1 accounts: Legacy account type for blobs, files, queues, and tables. 如果可能,请改用常规用途 v2 帐户。Use general-purpose v2 accounts instead when possible.
  • Blob 存储帐户:仅限 Blob 的存储帐户。Blob storage accounts: Blob-only storage accounts. 如果可能,请改用常规用途 v2 帐户。Use general-purpose v2 accounts instead when possible.

下表描述了存储帐户的类型及其功能:The following table describes the types of storage accounts and their capabilities:

存储帐户类型Storage account type 支持的服务Supported services 支持的性能层Supported performance tiers 支持的访问层Supported access tiers 复制选项Replication options 部署模型Deployment model
11
加密Encryption
22
常规用途 V2General-purpose V2 Blob、文件、队列、表和磁盘Blob, File, Queue, Table, and Disk 标准、高级Standard, Premium
44
热、 冷、 存档Hot, Cool, Archive
33
LRS, GRS, RA-GRSLRS, GRS, RA-GRS 资源管理器Resource Manager 加密Encrypted
常规用途 V1General-purpose V1 Blob、文件、队列、表和磁盘Blob, File, Queue, Table, and Disk 标准、高级Standard, Premium
44
不适用N/A LRS、GRS、RA-GRSLRS, GRS, RA-GRS 资源管理器、经典Resource Manager, Classic 加密Encrypted
Blob 存储Blob storage Blob(仅限块 Blob 和追加 Blob)Blob (block blobs and append blobs only) 标准Standard 热、 冷、 存档Hot, Cool, Archive
33
LRS、GRS、RA-GRSLRS, GRS, RA-GRS 资源管理器Resource Manager 加密Encrypted
1建议使用 Azure 资源管理器部署模型。1Using the Azure Resource Manager deployment model is recommended. 仍将在某些位置创建使用经典部署模型的存储帐户,继续支持现有的经典帐户。Storage accounts using the classic deployment model can still be created in some locations, and existing classic accounts continue to be supported. 有关详细信息,请参阅 Azure 资源管理器与经典部署:了解部署模型和资源状态For more information, see Azure Resource Manager vs. classic deployment: Understand deployment models and the state of your resources.
2使用针对静态数据的存储服务加密 (SSE) 来加密所有存储帐户。2All storage accounts are encrypted using Storage Service Encryption (SSE) for data at rest. 有关详细信息,请参阅静态数据的 Azure 存储服务加密For more information, see Azure Storage Service Encryption for Data at Rest.
3存档层仅在单个 Blob 级别可用,在存储帐户级别不可用。3The Archive tier is available at level of an individual blob only, not at the storage account level. 只能存档块 Blob 和追加 Blob。Only block blobs and append blobs can be archived. 有关详细信息,请参阅 Azure Blob 存储:热、冷、存档存储层For more information, see Azure Blob storage: Hot, Cool, and Archive storage tiers.
4高级性能的常规用途 v2 和常规用途 v1 帐户是可用于磁盘和页 blob。4Premium performance for general-purpose v2 and general-purpose v1 accounts is available for disk and page blob only.

常规用途 v2 帐户General-purpose v2 accounts

常规用途 v2 存储帐户支持最新的 Azure 存储功能,并纳入了常规用途 v1 存储帐户和 Blob 存储帐户的所有功能。General-purpose v2 storage accounts support the latest Azure Storage features and incorporate all of the functionality of general-purpose v1 and Blob storage accounts. 常规用途 v2 帐户提供适用于 Azure 存储的最低单 GB 容量价格,以及具有行业竞争力的事务价格。General-purpose v2 accounts deliver the lowest per-gigabyte capacity prices for Azure Storage, as well as industry-competitive transaction prices. 常规用途 v2 存储帐户支持以下 Azure 存储服务:General-purpose v2 storage accounts support these Azure Storage services:

  • Blob(所有类型:块、追加、页)Blobs (all types: Block, Append, Page)
  • 文件Files
  • 磁盘Disks
  • 队列Queues
  • Tables

Note

大多数情况下,建议使用常规用途 v2 存储帐户。We recommend using a general-purpose v2 storage account for most scenarios. 可以轻松将常规用途 v1 或 Blob 存储帐户升级到常规用途 v2 帐户,无需停机且无需复制数据。You can easily upgrade a general-purpose v1 or Blob storage account to a general-purpose v2 account with no downtime and without the need to copy data.

若要详细了解如何升级到常规用途 v2 帐户,请参阅升级到常规用途 v2 存储帐户For more information on upgrading to a general-purpose v2 account, see Upgrade to a general-purpose v2 storage account.

常规用途 v2 存储帐户提供多个访问层用于根据使用模式存储数据。General-purpose v2 storage accounts offer multiple access tiers for storing data based on your usage patterns. 有关详细信息,请参阅块 Blob 数据的访问层For more information, see Access tiers for block blob data.

常规用途 v1 帐户General-purpose v1 accounts

常规用途 v1 帐户可以访问所有 Azure 存储服务,但可能没有最新功能,其单 GB 定价也可能不是最低的。General-purpose v1 accounts provide access to all Azure Storage services, but may not have the latest features or the lowest per gigabyte pricing. 常规用途 v1 存储帐户支持以下 Azure 存储服务:General-purpose v1 storage accounts support these Azure Storage services:

  • Blob(所有类型)Blobs (all types)
  • 文件Files
  • 磁盘Disks
  • 队列Queues
  • Tables

大多数情况下建议使用常规用途 v2 帐户,但以下情况最好是使用常规用途 v1 帐户:While general-purpose v2 accounts are recommended in most cases, general-purpose v1 accounts are best suited to these scenarios:

  • 应用程序要求使用 Azure 经典部署模型。Your applications require the Azure classic deployment model. 常规用途 v2 帐户和 Blob 存储帐户只支持 Azure 资源管理器部署模型。General-purpose v2 accounts and Blob storage accounts support only the Azure Resource Manager deployment model.

  • 应用程序为事务密集型,或者使用很大的异地复制带宽,但不需要大的容量。Your applications are transaction-intensive or use significant geo-replication bandwidth, but do not require large capacity. 在这种情况下,常规用途 v1 可能是最经济的选择。In this case, general-purpose v1 may be the most economical choice.

  • 使用早于 2014-02-14 的存储服务 REST API 的版本或使用版本低于 4.x 的客户端库,并且无法升级应用程序。You use a version of the Storage Services REST API that is earlier than 2014-02-14 or a client library with a version lower than 4.x, and cannot upgrade your application.

为存储帐户命名Naming storage accounts

为存储帐户命名时,请记住以下规则:When naming your storage account, keep these rules in mind:

  • 存储帐户名称必须为 3 到 24 个字符,并且只能包含数字和小写字母。Storage account names must be between 3 and 24 characters in length and may contain numbers and lowercase letters only.
  • 存储帐户名称在 Azure 中必须是唯一的。Your storage account name must be unique within Azure. 没有两个存储帐户可以有相同的名称。No two storage accounts can have the same name.

性能层Performance tiers

可以针对下述两个性能层之一配置常规用途存储帐户:General-purpose storage accounts may be configured for either of the following performance tiers:

  • 用于存储 Blob、文件、表、队列和 Azure 虚拟机磁盘的标准性能层。A standard performance tier for storing blobs, files, tables, queues, and Azure virtual machine disks.
  • 仅用于存储非托管虚拟机磁盘的高级性能层。A premium performance tier for storing unmanaged virtual machine disks only.

块 Blob 数据的访问层Access tiers for block blob data

Azure 存储提供不同的选项,适用于根据使用模型访问块 Blob 数据。Azure Storage provides different options for accessing block blob data based on usage patterns. Azure 存储中的每个访问层都针对特定的数据使用模式进行了优化。Each access tier in Azure Storage is optimized for a particular pattern of data usage. 根据需要选择适当的访问层以后,即可以最经济有效的方式存储块 Blob 数据。By selecting the right access tier for your needs, you can store your block blob data in the most cost-effective manner.

可用的访问层包括:The available access tiers are:

  • 访问层,已针对存储帐户中频繁访问的对象进行优化。The Hot access tier, which is optimized for frequent access of objects in the storage account. 访问热层中的数据最经济高效,但存储费用较高。Accessing data in the hot tier is most cost-effective, while storage costs are higher. 新的存储帐户默认在热层中创建。New storage accounts are created in the hot tier by default.
  • 访问层,已针对存储不常访问且存储时间至少为 30 天的大量数据进行优化。The Cool access tier, which is optimized for storing large amounts of data that is infrequently accessed and stored for at least 30 days. 将数据存储在冷层中更经济高效,但与访问热层中的数据相比,访问该数据的费用可能较高。Storing data in the cool tier is more cost-effective, but accessing that data may be more expensive than accessing data in the hot tier.
  • 存档访问层,仅适用于单个块 Blob。The Archive tier, which is available only for individual block blobs. 存档层已针对可以容忍数小时的检索延迟且会保留在存档层至少 180 天的数据进行优化。The archive tier is optimized for data that can tolerate several hours of retrieval latency and will remain in the Archive tier for at least 180 days. 存档层是用于存储数据的最经济高效的选项,但访问这些数据的开销比访问热层或冷层中的数据要高一些。The archive tier is the most cost-effective option for storing data, but accessing that data is more expensive than accessing data in the hot or cool tiers.

如果数据的使用模式有所更改,可以随时在这些访问层之间切换。If there is a change in the usage pattern of your data, you can switch between these access tiers at any time. 有关访问层的详细信息,请参阅 Azure Blob 存储:热、冷和存档访问层For more information about access tiers, see Azure Blob storage: hot, cool, and archive access tiers.

Important

更改现有存储帐户或 Blob 的访问层可能会产生额外费用。Changing the access tier for an existing storage account or blob may result in additional charges. 有关详细信息,请参阅“存储帐户计费”部分For more information, see the Storage account billing section.

复制Replication

存储帐户的复制选项包括:Replication options for a storage account include:

有关存储复制的详细信息,请参阅 Azure 存储复制For more information about storage replication, see Azure Storage replication.

加密Encryption

存储帐户中的所有数据均在服务端加密。All data in your storage account is encrypted on the service side. 有关加密的详细信息,请参阅静态数据的 Azure 存储服务加密For more information about encryption, see Azure Storage Service Encryption for data at rest.

存储帐户终结点Storage account endpoints

存储帐户在 Azure 中为数据提供唯一的命名空间。A storage account provides a unique namespace in Azure for your data. 存储在 Azure 存储中的每个对象都有一个地址,其中包含唯一的帐户名称。Every object that you store in Azure Storage has an address that includes your unique account name. 将帐户名称与 Azure 存储服务终结点组合在一起,即可构成适用于存储帐户的终结点。The combination of the account name and the Azure Storage service endpoint forms the endpoints for your storage account.

例如,如果常规用途存储帐户名为 mystorageaccount,则该帐户的默认终结点为:For example, if your general-purpose storage account is named mystorageaccount, then the default endpoints for that account are:

  • Blob 存储: http://mystorageaccount.blob.core.chinacloudapi.cnBlob storage: http://mystorageaccount.blob.core.chinacloudapi.cn
  • 表存储: http://mystorageaccount.table.core.chinacloudapi.cnTable storage: http://mystorageaccount.table.core.chinacloudapi.cn
  • 队列存储: http://mystorageaccount.queue.core.chinacloudapi.cnQueue storage: http://mystorageaccount.queue.core.chinacloudapi.cn
  • Azure 文件: http://mystorageaccount.file.core.chinacloudapi.cnAzure Files: http://mystorageaccount.file.core.chinacloudapi.cn

Note

Blob 存储帐户仅公开 Blob 服务终结点。A Blob storage account exposes only the Blob service endpoint.

用于访问存储帐户中某个对象的 URL 是通过将对象在存储帐户中的位置追加到终结点后面而构造的。The URL for accessing an object in a storage account is constructed by appending the object's location in the storage account to the endpoint. 例如,Blob 地址可能具有以下格式: http://mystorageaccount.blob.core.chinacloudapi.cn/mycontainer/myblobFor example, a blob address might have this format: http://mystorageaccount.blob.core.chinacloudapi.cn/mycontainer/myblob.

也可将存储帐户配置为对 Blob 使用自定义域。You can also configure your storage account to use a custom domain for blobs. 有关详细信息,请参阅为 Azure 存储帐户配置自定义域名For more information, see Configure a custom domain name for your Azure Storage account.

控制对帐户数据的访问Control access to account data

默认情况下,只有你,即帐户所有者,才能使用帐户中的数据。By default, the data in your account is available only to you, the account owner. 你可以控制哪些用户可以访问你的数据,以及这些用户可以有什么权限。You have control over who may access your data and what permissions they have.

对存储帐户发出的每个请求都必须获得授权。Every request made against your storage account must be authorized. 在服务级别,请求必须包含有效的 Authorization 标头,该标头包含服务在执行请求之前对其进行验证所需的所有信息。At the level of the service, the request must include a valid Authorization header, which includes all of the information necessary for the service to validate the request before executing it.

可以通过下述任意方法授予对存储帐户中数据的访问权限:You can grant access to the data in your storage account using any of the following approaches:

  • Azure Active Directory: 使用 Azure Active Directory (Azure AD) 凭据对访问 Blob 和队列数据的用户、组或其他标识进行身份验证。Azure Active Directory: Use Azure Active Directory (Azure AD) credentials to authenticate a user, group, or other identity for access to blob and queue data. 如果某个标识的身份验证成功,则 Azure AD 会返回一个令牌,在对访问 Azure Blob 存储或队列存储的请求授权时可以使用该令牌。If authentication of an identity is successful, then Azure AD returns a token to use in authorizing the request to Azure Blob storage or Queue storage. 有关详细信息,请参阅使用 Azure Active Directory 对 Azure 存储访问进行身份验证For more information, see Authenticate access to Azure Storage using Azure Active Directory.
  • 共享密钥授权: 使用存储帐户访问密钥构造一个连接字符串,应用程序在运行时将使用该连接字符串来访问 Azure 存储。Shared Key authorization: Use your storage account access key to construct a connection string that your application uses at runtime to access Azure Storage. 连接字符串中的值用于构造传递给 Azure 存储的 Authorization 标头。The values in the connection string are used to construct the Authorization header that is passed to Azure Storage. 有关详细信息,请参阅配置 Azure 存储连接字符串For more information, see Configure Azure Storage connection strings.
  • 共享访问签名: 如果不使用 Azure AD 身份验证,可以使用共享访问签名来委托对存储帐户中资源的访问权限。Shared access signature: Use a shared access signature to delegate access to resources in your storage account, if you are not using Azure AD authentication. 共享访问签名是一个令牌,其中封装了对目标对象为 URL 上的 Azure 存储的请求进行授权所需的所有信息。A shared access signature is a token that encapsulates all of the information needed to authorize a request to Azure Storage on the URL. 可以在共享访问签名中指定存储资源、授予的权限以及权限有效时间间隔。You can specify the storage resource, the permissions granted, and the interval over which the permissions are valid as part of the shared access signature. 有关详细信息,请参阅使用共享访问签名 (SAS)For more information, see Using shared access signatures (SAS).

Note

与其他授权方式相比,使用 Azure AD 凭据对用户或应用程序进行身份验证可以提供优越的安全性和易用性。Authenticating users or applications using Azure AD credentials provides superior security and ease of use over other means of authorization. 虽然可以继续为应用程序使用共享密钥授权,但是,使用 Azure AD 不需要将帐户访问密钥与代码存储在一起。While you can continue to use Shared Key authorization with your applications, using Azure AD circumvents the need to store your account access key with your code. 也可以继续使用共享访问签名 (SAS) 授予对存储帐户中的资源的精细访问权限,但 Azure AD 提供了类似的功能,并且不需要管理 SAS 令牌,也不需要担心吊销已泄露的 SAS。You can also continue to use shared access signatures (SAS) to grant fine-grained access to resources in your storage account, but Azure AD offers similar capabilities without the need to manage SAS tokens or worry about revoking a compromised SAS.

我们建议尽量对 Azure 存储 Blob 和队列应用程序使用 Azure AD 身份验证。We recommend using Azure AD authentication for your Azure Storage blob and queue applications when possible.

将数据复制到存储帐户中Copying data into a storage account

我们提供的实用程序和库适用于从本地存储设备或第三方云存储提供商处导入数据。We provide utilities and libraries for importing your data from on-premises storage devices or third-party cloud storage providers. 使用哪种解决方案取决于要传输的数据量。Which solution you use depends on the quantity of data you are transferring.

从常规用途 v1 存储帐户或 Blob 存储帐户升级到常规用途 v2 帐户时,数据会自动迁移。When you upgrade to a general-purpose v2 account from a general-purpose v1 or Blob storage account, your data is automatically migrated. 建议使用此路径来升级帐户。We recommend this pathway for upgrading your account. 但是,如果决定将数据从常规用途 v1 帐户移到 Blob 存储帐户,则需使用下述工具和库手动迁移数据。However, if you decide to move data from a general-purpose v1 account to a Blob storage account, then you'll need to migrate your data manually, using the tools and libraries described below.

AzCopyAzCopy

AzCopy 是一个 Windows 命令行实用程序,用于将数据高性能复制到 Azure 存储(或从中进行复制)。AzCopy is a Windows command-line utility designed for high-performance copying of data to and from Azure Storage. 可以使用 AzCopy 将数据从现有的常规用途存储帐户复制到 Blob 存储帐户,或者将数据从本地存储设备上传。You can use AzCopy to copy data into a Blob storage account from an existing general-purpose storage account, or to upload data from on-premises storage devices. 有关详细信息,请参阅使用 AzCopy 命令行实用程序传输数据For more information, see Transfer data with the AzCopy Command-Line Utility.

数据移动库Data movement library

适用于 .NET 的 Azure 存储数据移动库基于为 AzCopy 提供技术支持的核心数据移动框架。The Azure Storage data movement library for .NET is based on the core data movement framework that powers AzCopy. 库旨在实现类似于 AzCopy 的高性能、可靠且简单的数据传输操作。The library is designed for high-performance, reliable, and easy data transfer operations similar to AzCopy. 可以通过它以本机模式充分利用应用程序中 AzCopy 提供的功能,无需运行和监视 AzCopy 的外部实例。You can use it to take advantage of the features provided by AzCopy in your application natively without having to deal with running and monitoring external instances of AzCopy. 有关详细信息,请参阅适用于 .Net 的 Azure 存储数据移动库For more information, see Azure Storage Data Movement Library for .Net

REST API 或客户端库REST API or client library

可以创建自定义应用程序以使用其中一个 Azure 客户端库或 Azure 存储服务 REST API 将数据迁移到 Blob 存储帐户。You can create a custom application to migrate your data into a Blob storage account using one of the Azure client libraries or the Azure storage services REST API. Azure 存储对多种语言和平台(如 .NET、Java、C++、Node.JS、PHP、Ruby 和 Python)提供了内容丰富的客户端库。Azure Storage provides rich client libraries for multiple languages and platforms like .NET, Java, C++, Node.JS, PHP, Ruby, and Python. 客户端库提供高级功能,如重试逻辑、日志记录和并行上传。The client libraries offer advanced capabilities such as retry logic, logging, and parallel uploads. 也可以直接针对 REST API(可发出 HTTP/HTTPS 请求的任何语言都可调用它)进行开发。You can also develop directly against the REST API, which can be called by any language that makes HTTP/HTTPS requests.

有关 Azure 存储 REST API 的详细信息,请参阅 Azure 存储服务 REST API 参考For more information about the Azure Storage REST API, see Azure Storage Services REST API Reference.

Important

使用客户端加密进行加密的 Blob 会将与加密相关的元数据与 Blob 一起存储。Blobs encrypted using client-side encryption store encryption-related metadata with the blob. 如果复制使用客户端加密来加密的 Blob,请确保复制操作保留 Blob 元数据,尤其是与加密相关的元数据。If you copy a blob that is encrypted with client-side encryption, ensure that the copy operation preserves the blob metadata, and especially the encryption-related metadata. 如果复制不包含此加密元数据的 Blob,则不能再次检索 Blob 内容。If you copy a blob without the encryption metadata, the blob content cannot be retrieved again. 有关加密相关元数据的详细信息,请参阅 Azure 存储客户端加密For more information regarding encryption-related metadata, see Azure Storage Client-Side Encryption.

Azure 导入/导出服务Azure Import/Export service

如果有大量需要导入到存储帐户中的数据,可考虑使用 Azure 导入/导出服务。If you have a large amount of data to import to your storage account, consider the Azure Import/Export service. 使用导入/导出服务,可将磁盘驱动器寄送到 Azure 数据中心,以便将大量数据安全地导出到 Azure Blob 存储和 Azure 文件。The Import/Export service is used to securely import large amounts of data to Azure Blob storage and Azure Files by shipping disk drives to an Azure datacenter.

也可以使用导入/导出服务将数据从 Azure Blob 存储传输到磁盘驱动器,然后再寄送到本地站点。The Import/Export service can also be used to transfer data from Azure Blob storage to disk drives and ship to your on-premises sites. 可将单个或多个磁盘驱动器中的数据导入到 Azure Blob 存储或 Azure 文件。Data from one or more disk drives can be imported either to Azure Blob storage or Azure Files. 有关详细信息,请参阅什么是 Azure 导入/导出服务?For more information, see What is Azure Import/Export service?.

存储帐户计费Storage account billing

我们会根据存储帐户使用情况,对 Azure 存储计费。You are billed for Azure Storage based on your storage account usage. 存储帐户中的所有对象会作为组共同计费。All objects in a storage account are billed together as a group.

存储成本根据以下因素进行计算:区域/位置、帐户类型、访问层、存储容量、复制方案、存储事务和数据流出量。Storage costs are calculated according to the following factors: region/location, account type, access tier, storage capacity, replication scheme, storage transactions, and data egress.

  • 区域是指帐户所基于的地理区域。Region refers to the geographical region in which your account is based.
  • 帐户类型是指所使用的存储帐户类型。Account type refers to the type of storage account you are using.
  • 访问层是指你为常规用途 v2 或 Blob 存储帐户指定的数据使用模式。Access tier refers to the data usage pattern you have specified for your general-purpose v2 or Blob storage account.
  • 存储容量指的是存储帐户中用来存储数据的配额。Storage Capacity refers to how much of your storage account allotment you are using to store data.
  • 复制可以确定一次保留的数据副本的数量以及保留位置。Replication determines how many copies of your data are maintained at one time, and in what locations.
  • 事务是指对 Azure 存储的所有读取和写入操作。Transactions refer to all read and write operations to Azure Storage.
  • 数据流出量是指传出某个 Azure 区域的任何数据。Data egress refers to any data transferred out of an Azure region. 当不在同一区域中的应用程序访问存储帐户中的数据时,需要为数据流出量付费。When the data in your storage account is accessed by an application that is not running in the same region, you are charged for data egress.

Azure 存储定价 页提供基于帐户类型、存储容量、复制和交易的详细定价信息。The Azure Storage Pricing page provides detailed pricing information based on account type, storage capacity, replication, and transactions. 数据传输定价详细信息 提供了针对数据流出量的详细定价信息。The Data Transfers Pricing Details provides detailed pricing information for data egress. 可以使用 Azure 存储定价计算器 来帮助估算成本。You can use the Azure Storage Pricing Calculator to help estimate your costs.

后续步骤Next steps