Azure Storage accounts
To start managing, encrypting, encoding, analyzing, and streaming media content in Azure, you need to create a Media Services account. When creating a Media Services account, you need to supply the name of an Azure Storage account resource. The specified storage account is attached to your Media Services account.
The Media Services account and all associated storage accounts must be in the same Azure subscription. It's strongly recommended to use storage accounts in the same location as the Media Services account to avoid additional latency and data egress costs.
You must have one Primary storage account and you can have any number of Secondary storage accounts associated with your Media Services account. Media Services supports General-purpose v2 (GPv2) or General-purpose v1 (GPv1) accounts. Blob only accounts aren't allowed as Primary.
We recommend that you use GPv2, so you can take advantage of the latest features and performance. To learn more about storage accounts, see Azure Storage account overview.
Only the hot access tier is supported for use with Azure Media Services, although the other access tiers can be used to reduce storage costs on content that isn't being actively used.
There are different SKUs you can choose for your storage account. If you want to experiment with storage accounts, use
--sku Standard_LRS. However, when picking a SKU for production, you should consider
--sku Standard_RAGRS, which provides geographic replication for business continuity.
Assets in a storage account
In Media Services v3, the Storage APIs are used to upload files into assets. For more information, see Assets in Azure Media Services v3.
Don't attempt to change the contents of blob containers that were generated by the Media Services SDK without using Media Services APIs.
Storage side encryption
To protect your assets at rest, the assets should be encrypted by the storage side encryption. The following table shows how the storage side encryption works in Media Services v3:
|Encryption option||Description||Media Services v3|
|Media Services storage encryption||AES-256 encryption, key managed by Media Services.||Not supported.1|
|Storage service encryption for data at rest||Server-side encryption offered by Azure Storage, key managed by Azure or by customer.||Supported.|
|Storage client-side encryption||Client-side encryption offered by Azure storage, key managed by customer in Key Vault.||Not supported.|
1 In Media Services v3, storage encryption (AES-256 encryption) is only supported for backwards compatibility when your assets were created with Media Services v2, which means v3 works with existing storage encrypted assets but won't allow creation of new ones.
Storage account double encryption
Storage accounts support double encryption but the second layer must explicitly be enabled. See Azure Storage encryption for data at rest.
Storage account errors
The "Disconnected" state for a Media Services account indicates that the account no longer has access to one or more of the attached storage accounts due to a change in storage access keys. Up-to-date storage access keys are required by Media Services to perform many tasks in the account.
The following are the primary scenarios that would result in a Media Services account not having access to attached storage accounts.
|The Media Services account or attached storage account(s) were migrated to separate subscriptions.||Migrate the storage account(s) or Media Services account so that they're all in the same subscription.|
|The Media Services account is using an attached storage account in a different subscription as it was an early Media Services account where this was supported. All early Media Services accounts were converted to modern Azure Resources Manager based accounts and will have a Disconnected state.||Migrate the storage account or Media Services account so that they're all in the same subscription.|
To learn how to attach a storage account to your Media Services account, see Create an account.