Azure

Azure Blob Storage Tier Strategy: Hot / Cool / Cold / Archive Selection & Lifecycle Management

2026-05-24
NicheeLab Editorial Team

Azure Blob Storage is the most widely used object storage service in Azure. Picking the right access tier across Hot / Cool / Cold / Archive can save millions of yen per year. This article walks through Blob Storage tier strategy, lifecycle management, replication, and security end-to-end.

The Four Access Tiers

TierStorage CostTransaction CostMin RetentionRetrieval TimeUse Case
HotHighLowestNoneImmediateFrequent access
CoolMediumMedium30 daysImmediateInfrequent access, 30+ days
ColdLowHigh90 daysImmediateRare access, 90+ days
ArchiveLowestHighest180 days1-15 hoursLong-term retention, compliance

Standard mapping:

  • Internal files / images / videos: Hot
  • Logs / backups: Cool
  • Compliance long-term retention: Cold
  • Regulatory 5-10 year retention (tax records, medical records): Archive

Lifecycle Management Policies

A Storage Account lifecycle management policy is a JSON-based rule engine that automatically transitions and deletes blobs across tiers.

Typical Rules

  • Move Hot → Cool 30 days after creation
  • Move Cool → Cold at 180 days
  • Move Cold → Archive at 365 days
  • Delete at 2,555 days (7 years)
  • Move to Cool 90 days after last access (requires Last Accessed Tracking enabled)
  • Target only blobs with specific tags, paths, or prefixes

How to Apply

  • Azure Portal: Storage Account → Data Management → Lifecycle Management
  • PowerShell: Set-AzStorageAccountManagementPolicy
  • Azure CLI: az storage account management-policy create

Up to 100 rules per Storage Account. The cost savings in production are huge (often millions of yen per year), so this is a must-configure feature. Last Accessed Tracking is disabled by default and must be explicitly enabled (and it only tracks accesses after enablement).

Archive Retrieval (Rehydration)

Archive Blob retrieval methods:

MethodRetrieval TimeCostUse Case
High Priority RehydrationUnder 1 hour (under 15 GB)Several times standardEmergencies
Standard RehydrationA few hours up to 15 hoursStandardPlanned retrieval
Copy operationAsynchronousStandardRetrieve while keeping the original Archive blob

During rehydration the blob cannot be read; completion notifications are delivered via Event Grid. Archive is the strongest cost optimization for compliance requirements like '5-year retention, retrieved once a year for audits', but never use it for data that needs immediate access.

Replication (LRS / ZRS / GRS / GZRS)

OptionRedundancy ScopeDurability SLACostUse Case
LRS3 copies within a single datacenter11 9sLowestLowest cost, non-mission-critical
ZRS3 copies across 3 AZs in the same region12 9sLowGeneral production
GRSPrimary LRS + secondary region LRS16 9sMediumRegional disaster recovery
GZRSPrimary ZRS + secondary LRSHighestHighCritical production
RA-GRS / RA-GZRSGRS/GZRS + secondary read accessSame as aboveDisaster Recovery

Standard playbook: general production → ZRS, critical production → GZRS, lowest cost → LRS, disaster recovery required → RA-GZRS.

Performance Tiers (Standard vs Premium)

ItemStandardPremium Block Blob
StorageHDDSSD
Latency10-100 ms1-3 ms
IOPSMediumHigh
Access TiersHot / Cool / Cold / ArchiveHot only
CostLowHigh (several to 10x Standard)
Use CaseGeneral purposeHigh-volume small files, ML datasets, real-time analytics

On cost, Standard is enough for the vast majority of workloads; only use Premium Block Blob when you have a clear low-latency requirement.

Security Best Practices

  1. Disable public access: Allow Blob Anonymous Access = false; only via Private Endpoint
  2. Microsoft Entra ID authentication: RBAC roles such as Storage Blob Data Contributor; reserve Storage Account Keys for emergencies
  3. SAS tokens: Always set an expiration (centrally managed via Stored Access Policy); prefer User Delegation SAS (Entra ID-based)
  4. Customer-Managed Key (CMK): Encryption integrated with Key Vault or Managed HSM
  5. Microsoft Defender for Storage: Malicious upload detection and Sensitive Data Discovery
  6. Network Access: Restrict to Selected Networks + Private Endpoint
  7. Versioning + Soft Delete: Protection against logical and accidental deletion
  8. Diagnostic Logs: Send to Log Analytics; monitor with Microsoft Sentinel

Cost Optimization Checklist

  1. Configure lifecycle management policies (automatic Hot → Cool → Cold → Archive transitions)
  2. Enable Last Accessed Tracking for access-based tier transitions
  3. Auto-delete rules for unneeded blobs
  4. Don't over-replicate (ZRS is enough for general production; GZRS only when needed)
  5. Purchase Reserved Capacity (1-3 year terms for up to 38% discount)
  6. Periodically delete unneeded Snapshots / Versions
  7. Tune Diagnostic Logs retention (reduces Log Analytics cost)

Related Certifications

Frequently Asked Questions

What are the 4 Blob Storage access tiers?

Hot, Cool, Cold, and Archive are the four tiers. Hot: for frequently accessed data with the highest storage cost but the lowest transaction cost. Cool: for data kept 30+ days with infrequent access, with medium storage and medium transaction cost, a 30-day minimum retention (early deletion incurs a penalty). Cold: GA in 2022, intended for 90+ day retention, cheaper storage than Cool but more expensive than Archive, with higher transaction costs than Cool and a 90-day minimum. Archive: for long-term retention with yearly-scale access, the cheapest storage tier but takes hours-to-15-hours to retrieve, with a 180-day minimum. Standard playbook: organizational files → Hot, logs and backups → Cool, compliance long-term retention → Cold, regulatory 5-10 year retention → Archive.

What is a lifecycle management policy?

A Storage Account lifecycle management policy is a JSON-based rule engine that automatically transitions and deletes blobs across tiers. Typical rules: 1) move Hot → Cool 30 days after creation, Cool → Cold at 180 days, Cold → Archive at 365 days, and delete at 2,555 days (7 years). 2) Move to Cool 90 days after last access (requires Last Accessed Tracking to be enabled). 3) Target only blobs with specific tags, paths, or prefixes. Rules are defined in JSON and applied via the Azure Portal, PowerShell, or Azure CLI. Up to 100 rules per Storage Account. The cost savings in production are huge (often millions of yen per year), so this is a must-configure feature. Last Accessed Tracking is disabled by default and must be explicitly enabled (and only tracks accesses after enablement).

What are the Archive retrieval methods and timings?

Archive Blob retrieval has four options: 1) High Priority Rehydration: under 1 hour for blobs under 15 GB, costs several times the standard rate, for emergencies. 2) Standard Rehydration: a few hours up to 15 hours, standard cost, for planned retrievals. 3) Direct tier change with Set-AzStorageBlobContent to rehydrate to Cool/Hot (the most common approach). 4) Copy operation: rehydrate by copying to a separate blob, leaving the original Archive blob intact. During rehydration the blob cannot be read; completion notifications are delivered via Event Grid. Archive is the strongest cost optimization for compliance requirements like '5-year retention, retrieved once a year for audits', but never use it for data that needs immediate access.

How do LRS, ZRS, GRS, GZRS, and RA-GRS replication differ?

These are Storage Account redundancy options. LRS (Locally Redundant Storage): 3 copies within a single datacenter, cheapest, 99.999999999% (11 9s) durability, weak against regional disasters. ZRS (Zone Redundant Storage): 3 copies across 3 Availability Zones in the same region, 99.9999999999% (12 9s), AZ-level redundancy. GRS (Geo Redundant Storage): LRS in the primary + asynchronous LRS in a secondary region, 99.99999999999999% (16 9s), covers regional disasters. GZRS (Geo Zone Redundant Storage): ZRS in the primary + asynchronous LRS in the secondary, highest availability and highest cost. RA-GRS / RA-GZRS (Read-Access GRS/GZRS): enables read access to the secondary region, so you can read from the secondary even in steady state. Standard playbook: general production → ZRS, critical production → GZRS, lowest cost → LRS, disaster recovery required → RA-GZRS.

Can I transition directly from Hot to Archive?

Yes. Access tiers can move directly between any combination of Hot ↔ Cool ↔ Cold ↔ Archive, so Hot → Archive direct transitions are fine. The minimum retention rules still apply, however: moving or deleting within 30 days of a Cool transition incurs an early deletion fee (prorated), 90 days for Cold, and 180 days for Archive. In practice: uploading directly to Archive (one-shot archive writes) is valid, transitioning Hot → Archive right after upload is fine with no early deletion fee, but deletions or transitions before the 30/90/180-day thresholds for Cool/Cold/Archive will incur early deletion charges. Keep these rules in mind and the design decisions become clear.

What's the difference between Premium Block Blob and Standard?

These are Storage Account performance tiers. Standard: general purpose, supports all 4 access tiers (Hot/Cool/Cold/Archive), focused on cost optimization. Premium Block Blob: SSD-based, low latency (1-3 ms), high IOPS, Hot tier only (no Cool/Cold/Archive support), several to 10x the cost of Standard. Premium Block Blob shines for: 1) high-volume small-file read/write (ML datasets, log aggregation), 2) intermediate data in real-time analytics, 3) high-frequency API-based access, 4) high-performance AKS PersistentVolume requirements. The vast majority of workloads are fine with Standard; only use Premium Block Blob when you have a clear low-latency requirement. Beyond Block Blob, there are also Premium Page Blob (VM Managed Disk) and Premium File Storage (Azure Files) variants.

What are the Blob security best practices?

Key security controls: 1) Disable public access on the Storage Account (Allow Blob Anonymous Access = false) and only allow access via Private Endpoint. 2) Use Microsoft Entra ID authentication (RBAC roles such as Storage Blob Data Contributor) and limit Storage Account Keys to emergencies. 3) Always set an expiration on SAS tokens (centrally managed via Stored Access Policy) and prefer User Delegation SAS (Entra ID-based). 4) Encrypt with Customer-Managed Keys (CMK) integrated with Key Vault or Managed HSM. 5) Enable Microsoft Defender for Storage (malicious upload detection, Sensitive Data Discovery). 6) Restrict network access to Selected Networks + Private Endpoint. 7) Enable Versioning + Soft Delete to protect against logical/accidental deletion. 8) Send diagnostic logs to Log Analytics and monitor them with Microsoft Sentinel. These are must-configure items in production to prevent incidents.

Which certifications cover this?

AZ-104 (Administrator) Domain 2 (Storage, 15-20%) tests Blob, Files, access tiers, lifecycle, replication, and SAS in depth. AZ-204 (Developer Associate, retiring 2026-07) covers Blob operations via SDKs, AZ-305 (Solutions Architect Expert) covers storage selection architecture, DP-203 / DP-700 (Data Engineer) cover data lake use cases, SC-300 (Identity Admin) covers RBAC authentication, and SC-100 (Cybersecurity Architect Expert) covers data protection design. Understanding Storage Accounts is essential for every engineer who works with Azure.

Related Articles & Deep Dives

Azure Architect キャリアロードマップ|AZ-900 → AZ-305 → SC-100 シニアアーキテクトへの道【2026 年版】

Azure Solutions Architect になるための認定取得ロードマップ完全版。AZ-900 → AZ-104 → AZ-305 の王道ルート、AZ-400 / SC-100 / AZ-700 との二刀流 / 三刀流戦略、マルチクラウド対応 (AWS / GCP)、未経験から 7-12 ヶ月の学習プラン、年収レンジまで日本語で網羅。

Azure セキュリティエンジニア キャリアロードマップ|SC-900 → SC-200/300/400 → SC-100 シニアへの道【2026 年版】

Azure セキュリティエンジニアになるための認定取得ロードマップ完全版。SC-900 → SC-200/300/400 のいずれか → SC-100 / SC-500 の王道ルート、ロール別の優先順序、CISSP との二刀流戦略、SC-500 (旧 AZ-500 後継、2026-09 GA 予定) の動向、10-15 ヶ月の学習プラン、年収レンジまで日本語で網羅。

Azure DevOps エンジニア キャリアロードマップ|AZ-104 → AZ-400 → SC-100 シニア DevOps への道【2026 年版】

Azure DevOps Engineer になるための認定取得ロードマップ完全版。AZ-900 → AZ-104 → AZ-400 の王道ルート、GitHub と Azure DevOps の両方を扱う AZ-400 の構成、Kubernetes 認定 (CKA / CKAD / CKS) との二刀流、IaC (Bicep / Terraform) 戦略、年収レンジまで日本語で網羅。

Azure ネットワークエンジニア キャリアロードマップ|AZ-104 → AZ-700 → シニアネットワークアーキテクトへの道【2026 年版】

Azure ネットワークエンジニアになるための認定取得ロードマップ完全版。AZ-900 → AZ-104 → AZ-700 の王道ルート、Hub-Spoke / Virtual WAN / ExpressRoute / Azure Firewall / Front Door の実装、Cisco CCNP / AWS Advanced Networking との二刀流、9-12 ヶ月の学習プラン、年収レンジまで日本語で網羅。

Technical information in this article is based on the Azure Blob Storage Documentation. This article is not an official Microsoft Corporation product and has no affiliation or sponsorship. Microsoft and Azure are trademarks of the Microsoft group of companies. Information is based on official public materials as of May 24, 2026. Always check the official pages for the latest information.

Check what you learned with practice questions

Practice with certification-focused question sets

View Azure exam prep
Author

NicheeLab Editorial Team

NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.


Related articles
Azure

AZ-900 Azure Fundamentals: Complete Exam Guide (2026)

Pass AZ-900 — cloud concepts, Azure architecture, management...

Azure

Azure Certification Roadmap: Which Cert to Take Next (2026)

Choose your Azure certification path — Fundamentals, Associa...

Azure

AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)

Pass AI-901 — Microsoft Foundry, generative AI, responsible ...

Azure

Microsoft Entra ID Fundamentals for Azure Certs (2026)

Entra ID basics every cert candidate needs — tenants, identi...

Azure

DP-900 Azure Data Fundamentals: Complete Guide (2026)

Pass DP-900 — relational, non-relational, analytics, Power B...

Browse all Azure articles (104)
© 2026 NicheeLab All rights reserved.