How I Optimized Azure Storage on a Budget for Non-Critical Dev Environments.

How I Optimized Azure Storage on a Budget for Non-Critical Dev Environments.

# azure# cloudcomputing# security# infrastructure
How I Optimized Azure Storage on a Budget for Non-Critical Dev Environments.Rahimah Sulayman

Introduction In cloud engineering, we often talk about "High Availability" and "Global...

Introduction

In cloud engineering, we often talk about "High Availability" and "Global Redundancy," but in the real world, every byte has a price tag. Not every environment needs a five-star storage plan.

In a fast-paced IT environment, speed often conflicts with security. Whether you are prototyping a new storage architecture or training junior personnel, you need an environment that is rapidly deployable, cost-effective, and secure by default.

Recently, I was tasked with building a prototype storage solution for an IT department’s training sandbox. The mission: Keep it secure, keep it standard, but most importantly, keep it cheap.

Here is how I architected a low-cost, high-security storage solution that balances agility with fiscal and technical responsibility in Azure. In this post, I’ll walk through a recent hands-on exercise where I architected a "Disposable Storage" solution in Microsoft Azure. The goal was simple: provide the IT department with a sandbox that minimizes cloud spend while enforcing enterprise-grade security standards like TLS 1.2 and Restricted Key Access.

Skilling tasks

  • Create a storage account.
  • Establish a naming convention.
  • Configure basic settings for security and networking.

The task has two parts:

  1. Create a resource group and a storage account.
  2. Configure simple settings in the storage account.

Create and deploy a resource group to hold all your project resources.

Step 1:

In the Azure portal, search for and select Resource groups.

resourcegroup

Step 2:

Select + Create.

+create

Step 3:

Give your resource group a name. For example, storagerg.

Step 4:

Select a region. Use this region throughout the project.

Step 5:

Select Review and create to validate the resource group.

new rg

Step 6:

Select Create to deploy the resource group.

created

Create and deploy a storage account to support testing and training.

Step 1:

In the Azure portal, search for and select Storage accounts.

storage accounts

Step 2:

Select + Create.

+create

Step 3:

On the Basics tab, select your Resource group.

basic tab rg

Step 4:

Provide a Storage account name. The storage account name must be unique in Azure.

Step 5:

Set the Performance to Standard.

Step 6:

Select Review + Create, and then Create.

review

create

Step 7:

Wait for the storage account to deploy and then Go to resource.

go to resource

Configure simple settings in the storage account.

The data in this storage account doesn’t require high availability or durability. A lowest cost storage solution is desired.

Step 1:

In your storage account, in the Data management section, select the Redundancy blade.

redundancy

Step 2:

Select Locally-redundant storage (LRS) in the Redundancy drop-down.

LRS
Notice that there are currently 2 Locations.
Step 3:

Be sure to Save your changes.

redundancy change

Step 4:

Refresh the page and notice the content only exists in the primary location.

one location

Now that Redundancy is completed, notice that the data is now available in only one location.

The storage account should only accept requests from secure connections.

Step 1:

In the Settings section, select the Configuration blade.

Step 2:

Ensure Secure transfer required is Enabled.

secure transfer

Developers would like the storage account to use at least TLS version 1.2.

Step 1:

In the Settings section, select the Configuration blade.

Step 2:

Ensure the Minimal TLS version is set to Version 1.2.

TLS

Until the storage is needed again, disable requests to the storage account.

Step 1:

In the Settings section, select the Configuration blade.

Step 2:

Ensure Allow storage account key access is Disabled.

storage

Step 3:

Be sure to Save your changes.

storage acct update

Ensure the storage account allows public access from all networks.

Step 1:

In the Security + networking section, select the Networking blade.

Step 2:

Ensure Public network access is set to Enabled from all networks.

public access

Step 3:

Be sure to Save your changes.

save

The "Why" Behind the Architecture

In cloud engineering, a configuration is only as good as the reasoning behind it. Here is the professional justification for the settings used in this environment:

  1. Cost Optimization: Locally-Redundant Storage (LRS) The Decision: Switched from Geo-Redundant Storage (GRS) to LRS.

The "Why": Cost Optimization(FinOps). Since the training data was non-critical and easily reproducible, high availability across regions was unnecessary. By choosing LRS, I reduced the projected storage costs by approximately 50%, demonstrating a FinOps mindset that prioritizes budget efficiency for non-production workloads.Task: Changing to LRS

  1. Identity-Centric Security: Disabling Shared Keys The Decision: Disabled "Allow storage account key access."

The "Why": Identity & Access Management (IAM): By disabling Shared Key Access, I demonstrated the "Principle of Least Privilege," forcing the environment to remain dormant and secure until active training or development is required, requiring modern, identity-based access (like RBAC) rather than easily compromised strings. Shared keys are "evergreen" credentials that can be hard to rotate and easy to leak.

  1. Data-in-Transit Protection: Enforcing TLS 1.2 The Decision: Set Minimal TLS version to 1.2 and enabled Secure Transfer.

The "Why": Security Hardening: I implemented a "Security-First" posture by enforcing Secure Transfer (HTTPS) and upgrading the Minimal TLS version to 1.2, protecting data in transit from modern vulnerabilities. Older TLS versions (1.0 and 1.1) have known vulnerabilities. Even in a "disposable" dev environment, keeping the security posture high prevents it from becoming a weak link in the organization's network.

  1. Operational Governance: Naming Conventions & Resource Groups The Decision: Established a strict naming pattern within a dedicated Resource Group.

The "Why": Standardization: Establishing a strict naming convention and centralized Resource Group management is essential for maintaining a clean, searchable, and professional Azure tenant.
Standardized naming prevents "resource sprawl" and makes it easier for automated scripts to manage resources. This level of organization ensures smooth operations team, making costs and resources easy to track at a glance.

  1. Connectivity Strategy: Controlled Public Access The Decision: Enabled Public network access.

The "Why": For rapid prototyping and training, this reduces the friction of complex VPN/Private Link setups. However, by combining this with Disabled Shared Keys, the account remains protected even while technically "reachable" on the public internet.

Conclusion

In the cloud, it is tempting to always choose the "highest" tier of service—the fastest performance, the most redundancy, and the widest access. However, true Cloud Engineering is the art of balancing requirements with resources.

By architecting this "disposable" environment, I achieved three major goals:

Cost Efficiency: I proved that you can run a robust dev environment without a massive bill by utilizing LRS.

Security Integrity: I showed that even "temporary" data deserves enterprise-grade protection like TLS 1.2 and Identity-based access.

Operational Peace: By using clear naming conventions and resource grouping, I brought order to the infrastructure, making it easy for others to manage.

Whether you are building a production-grade database or a simple training sandbox, every configuration should be an intentional choice. Optimization isn't just about saving money; it’s about demonstrating a disciplined approach to the cloud.