Azure Blob Storage Migration — Setup Guide
Application: MOC & PCR Management System
Storage Provider: Microsoft Azure Blob Storage
Audience: IT Administrator / System Owner
Overview
The MOC-PCR system stores uploaded files (documents, images, attachments) using Azure Blob Storage.
The architecture is intentionally simple:
- Files are stored in a dedicated Azure Storage Account.
- Files are accessible via direct HTTPS URLs.
- No CDN is required (expected read volume is low).
- URLs are stored securely in the application database.
- Files are downloaded via controlled application workflows (not exposed publicly in UI).
This setup ensures simplicity, reliability, and ease of maintenance.
Architecture Flow
User Upload
│
▼
Application Backend (/api/upload)
│
▼
Azure Blob Storage (Public Blob Access Enabled)
│
▼
Secure HTTPS File URL Returned
│
▼
Stored in Application Database
Files are accessed directly via Azure Blob HTTPS URLs when required.
Prerequisites
| Requirement | Details |
|---|---|
| Azure Subscription | Active Azure subscription |
| Resource Group | Existing or new |
| HTTPS Access | Must remain enabled |
| Public Blob Access | Must be enabled (see below) |
Part 1 — Azure Storage Account Setup
Step 1 — Create Storage Account
- Sign in to the Azure Portal.
- Navigate to Storage Accounts → Create.
- Configure:
| Setting | Value |
|---|---|
| Subscription | Your active subscription |
| Resource Group | Existing or create new |
| Storage Account Name | mocpcr-storage-prod (example) |
| Region | Same region as application |
| Performance | Standard |
| Redundancy | LRS |
- Click Review + Create → Create.
Step 2 — Enable Public Blob Access
After deployment:
- Go to the created Storage Account.
- Navigate to Configuration.
- Ensure:
| Setting | Required Value |
|---|---|
| Allow Blob anonymous access | Enabled |
| Secure transfer required | Enabled |
| Minimum TLS version | 1.2 |
Click Save if changed.
⚠️ Public access is required so files can be accessed via direct HTTPS URL.
Step 3 — Create Blob Container
- Go to Data Storage → Containers
- Click + Container
- Configure:
| Setting | Value |
|---|---|
| Name | uploads |
| Public access level | Blob (anonymous read access for blobs only) |
Click Create.
Important: Access level must be Blob, not Private.
Step 4 — Access Keys (Server Configuration Only)
Navigate to:
Storage Account → Access keys
Copy:
- Storage Account Name
- Key1
These will be configured in the application environment variables.
Part 2 — Application Environment Variables
Add the following environment variables on the application server:
# ── Azure Blob Storage ────────────────────────────────────────
AZURE_STORAGE_ACCOUNT_NAME=<your_storage_account_name>
AZURE_STORAGE_ACCOUNT_KEY=<Key1 from Access Keys>
AZURE_STORAGE_CONTAINER=uploads
These values must:
- Not be committed to source control
- Be stored securely in the server configuration
- Be rotated if compromised
Part 3 — File Access Behavior
When a file is uploaded:
- It is stored inside the
uploadscontainer. - A URL is generated in the format:
https://<storage_account>.blob.core.windows.net/uploads/<file-name>
Example:
https://mocpcr-storage-prod.blob.core.windows.net/uploads/document.pdf
This URL:
- Is accessible via HTTPS
- Does not expose internal credentials
- Is stored securely in the application database
- Is not publicly listed anywhere in the UI
Files are only accessed when:
- A user previews a document
- A user downloads an attachment
- An image is rendered in the interface
Security Considerations
Although blobs are publicly readable:
- The application does not display raw URLs in the UI.
- Files are only accessible if the user has access to the relevant system module.
- URLs are stored internally and not indexed or published.
- No directory listing is possible.
This setup is acceptable because:
- The system is not a public content distribution platform.
- File access volume is moderate.
- No CDN layer is required.
- Files are not intended for anonymous public browsing.
If future requirements change (e.g., high public traffic or strict access control), Azure CDN or signed URL mechanisms can be introduced without architectural redesign.
Verification Checklist
| Item | How to verify |
|---|---|
| Storage account created | Azure Portal → Storage Accounts |
| Public blob access enabled | Storage account → Configuration → Allow Blob anonymous access = Enabled |
uploads container created with Blob access | Storage account → Containers |
AZURE_STORAGE_ACCOUNT_NAME env var set | Check container env or server config |
AZURE_STORAGE_ACCOUNT_KEY env var set | Check container env or server config |
AZURE_STORAGE_CONTAINER env var set (value: uploads) | Check container env or server config |
| File upload succeeds in the application | Test via the MOC or PCR attachment upload flow |
Next Steps
With Azure Blob Storage configured and the three storage environment variables noted, proceed to:
Cost & Performance Notes
- Each file read counts as a Blob read operation.
- No CDN caching is currently configured.
- Expected file access frequency is low.
- Therefore, no CDN is required at this stage.
If file reads become intensive:
Azure CDN can be added later without modifying application logic.
Operational Checklist
Before going live, confirm:
| Item | Status |
|---|---|
| Storage account created | ✔ |
| Public blob access enabled | ✔ |
Container uploads created | ✔ |
| Container access level = Blob | ✔ |
| Environment variables configured | ✔ |
| HTTPS enabled | ✔ |
Optional Future Enhancements (Not Required Now)
- Azure CDN for caching
- Private Blob + SAS Tokens
- Malware scanning integration
- Lifecycle rules for old file cleanup
- Geo-redundancy
Summary
The Azure Blob storage migration replaces AWS S3 with:
- Direct Azure Blob Storage
- Public blob-level read access
- Secure server-side upload
- Controlled application-based access
No CDN is required due to moderate file access patterns.
This architecture is stable, simple, and production-ready for internal enterprise usage.
Last updated: February 2026