Back to Blog
AzureAzure CLIStorageDevOpsTutorial

Create and secure Azure Storage Accounts with CLI

Complete tutorial about az storage account create in Azure CLI. Learn SKU/replication (LRS/ZRS/GZRS), access tiers, network rules, RBAC.

Daniel Urbano
November 17, 2025
9 min read
Create and secure Azure Storage Accounts with CLI

Create and Secure Azure Storage Accounts with CLI

Introduction

Azure Storage Accounts are essential for storing and managing data in the cloud, providing services such as Blob storage, File storage, and Queue storage. The main command used to create a storage account is az storage account create, which allows you to specify various configurations, including SKU (Stock Keeping Unit) types, replication options, access tiers, and network rules.

Understanding how to effectively create and manage storage accounts is vital for developers and system administrators, as it directly impacts performance, security, and cost management. This tutorial will guide you through the creation of Azure Storage Accounts using the Azure CLI, focusing on different SKU options (LRS, ZRS, GZRS), access tiers, and network security configurations.

Prerequisites

  • Azure CLI: Ensure you have the latest version of the Azure CLI installed. You can download it from here.
  • Azure Subscription: You need an active Azure subscription. If you don’t have one, you can create a free account here.
  • Permissions: Ensure you have the necessary permissions to create storage accounts in your Azure subscription.
  • Authentication: Sign in to your Azure account using the command:
    az login

Fundamental Concepts

  • Storage Account: A unique namespace for storing your Azure Storage data.
  • SKU: Defines the type of storage replication used (e.g., LRS, ZRS, GZRS).
  • Replication: The method by which data is copied to ensure durability and availability.
    • Locally Redundant Storage (LRS): Data is replicated three times within a single region.
    • Zone-Redundant Storage (ZRS): Data is replicated across multiple availability zones in the same region.
    • Geo-Zone Redundant Storage (GZRS): Combines ZRS with geo-replication to another region.
  • Access Tiers: Determines how data is stored based on access frequency (Hot, Cool, Archive).
  • Network Rules: Controls access to the storage account from specific networks and IP addresses.
  • Role-Based Access Control (RBAC): Provides fine-grained access management for Azure resources.

Command Syntax

The basic syntax for creating a storage account is as follows:

az storage account create \
  --name <storage-account-name> \
  --resource-group <resource-group-name> \
  --location <location> \
  --sku <sku-type> \
  --kind <kind> \
  --access-tier <access-tier>
Parameter Description
--name Name of the storage account (must be unique).
--resource-group Name of the resource group to which the account belongs.
--location Azure region where the storage account will be created.
--sku The SKU type (e.g., Standard_LRS, Standard_GZRS).
--kind Type of storage account (e.g., StorageV2).
--access-tier Default access tier (e.g., Hot, Cool).
--min-tls-version Minimum TLS version to be used for requests.

Practical Examples

Example 1: Create a Basic Storage Account

az storage account create \
  --name mystorageaccount01 \
  --resource-group MyResourceGroup \
  --location eastus \
  --sku Standard_LRS \
  --kind StorageV2

Creates a standard locally redundant storage account in East US region.

Example 2: Create a Geo-Redundant Storage Account

az storage account create \
  --name mystorageaccount02 \
  --resource-group MyResourceGroup \
  --location westus \
  --sku Standard_GZRS \
  --kind StorageV2

Creates a geo-zone redundant storage account.

Example 3: Specify the Access Tier as Cool

az storage account create \
  --name mystorageaccount03 \
  --resource-group MyResourceGroup \
  --location southcentralus \
  --sku Standard_LRS \
  --kind StorageV2 \
  --access-tier Cool

Creates a storage account with a default access tier of Cool.

Example 4: Enable Network Rules

az storage account network-rule add \
  --resource-group MyResourceGroup \
  --account-name mystorageaccount01 \
  --ip-address 203.0.113.0

Adds an IP network rule to allow access from a specific IP address.

Example 5: Set Minimum TLS Version

az storage account update \
  --resource-group MyResourceGroup \
  --name mystorageaccount01 \
  --min-tls-version TLS1_2

Updates the storage account to require TLS version 1.2 or higher.

Example 6: Create a Storage Account with Hierarchical Namespace

az storage account create \
  --name mystorageaccount04 \
  --resource-group MyResourceGroup \
  --location eastus \
  --sku Standard_GZRS \
  --kind StorageV2 \
  --enable-hierarchical-namespace true

Creates a storage account with hierarchical namespace for Azure Data Lake Storage.

Example 7: List Storage Accounts

az storage account list --output table

Lists all storage accounts in the subscription in a tabular format.

Example 8: Update Access Tier for an Existing Storage Account

az storage account update \
  --resource-group MyResourceGroup \
  --name mystorageaccount01 \
  --access-tier Hot

Updates the access tier to Hot for an existing storage account.

Real-World Use Cases

Scenario 1: Cost Management for a Media Company

A media company uses Azure Storage to store large volumes of video files. They can utilize the Cool access tier for infrequently accessed video files, reducing costs significantly while still ensuring they can scale as needed.

Scenario 2: Disaster Recovery for Financial Services

A financial services company requires high availability for its data. By using Geo-Zone Redundant Storage (GZRS), they ensure data is replicated across multiple regions, providing resilience against regional outages.

Scenario 3: Secure Data Storage with Restricted Access

A healthcare application requires strict compliance with data security regulations. By creating a storage account with Network Rules and Role-Based Access Control (RBAC), they can securely manage access to sensitive patient data.

Best Practices

  1. Choose the Right SKU: Select the appropriate replication and performance SKU based on your application's availability and durability needs.
  2. Use Access Tiers Wisely: Utilize different access tiers (Hot, Cool, Archive) to optimize storage costs based on data usage patterns.
  3. Implement Network Security: Always configure network rules to restrict access to only trusted IP addresses or virtual networks.
  4. Regular Backups: Implement a backup strategy for critical data stored in Azure Storage.
  5. Monitor and Analyze Usage: Use Azure Monitor and Azure Storage metrics to analyze usage patterns and adjust configurations accordingly.

Common Errors

  1. Error: Storage account name already exists

    • Cause: The specified storage account name is not unique.
    • Solution: Use a different name for the storage account.

  2. Error: Insufficient permissions

    • Cause: The user does not have permission to create storage accounts.
    • Solution: Ensure the user has the necessary RBAC roles assigned.

  3. Error: Invalid SKU type

    • Cause: The specified SKU type is not valid for the selected region.
    • Solution: Check available SKU types for the region.

  4. Error: Network rule conflicts

    • Cause: The specified network rules conflict with existing rules.
    • Solution: Review and update existing network rules to resolve conflicts.

Related Commands

Command Description
az storage account show Show details of a specified storage account.
az storage account update Update properties of an existing storage account.
az storage account delete Delete a specified storage account.
az storage blob upload Upload a blob to a specified storage account.
az storage file upload Upload a file to a specified storage account.

Automation Script

Here’s a simple bash script to automate the creation of a storage account with a specified SKU and access tier:

#!/bin/bash

# Variables
RESOURCE_GROUP="MyResourceGroup"
STORAGE_ACCOUNT_NAME="mystorageaccount$(openssl rand -hex 4)"  # Generate a unique name
LOCATION="eastus"
SKU="Standard_GZRS"
ACCESS_TIER="Hot"

# Create resource group
az group create --name $RESOURCE_GROUP --location $LOCATION

# Create storage account
az storage account create \
  --name $STORAGE_ACCOUNT_NAME \
  --resource-group $RESOURCE_GROUP \
  --location $LOCATION \
  --sku $SKU \
  --kind StorageV2 \
  --access-tier $ACCESS_TIER

echo "Storage account '$STORAGE_ACCOUNT_NAME' created successfully!"

Conclusion

In this tutorial, we covered the essentials of creating and securing Azure Storage Accounts using the Azure CLI. By understanding various configurations such as SKU types, replication methods, access tiers, and network rules, you can effectively manage your storage solutions in Azure.

To continue enhancing your Azure CLI skills, explore additional commands and automation scripts, and consider diving deeper into Azure’s storage analytics features.

References