Share via

Medallion architecture in ADLS

Bravo Arribas, Miguel 25 Reputation points
2025-02-08T11:20:54.93+00:00

I am trying to find the most suitable storage architecture for the following use case.

  • I have several clients and I need isolated storages so data cannot be mixed up
  • I work with 3 different environments for each client: dev, pre, pro
  • I need to implement a medallion architecture for each environment: bronze, silver, gold

What would be the best approach in Azure Datalake Storage? Should I have a independent storage account per environment or per client? should the medallion be implemented at container level or virtual folder level?

Thanks in advance.

Azure Data Lake Storage
Azure Data Lake Storage
An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
1,539 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,361 questions
0 comments
Accepted answer
  1. Marcin Policht 35,210 Reputation points MVP
    2025-02-10T13:07:33.9433333+00:00

    Yep, using separate storage accounts per client-environment (e.g., ClientA-Dev, ClientA-Pre, ClientA-Pro) is a good practice for stronger isolation and security, particularly in multi-tenant architectures. This gives you the following benefits

    1. Isolation & Security
      • Stronger isolation between environments (Dev, Pre, Prod) prevents accidental data mixing.
      • Separate access controls (IAM, networking, firewall rules) per environment.
      • Compliance benefits by keeping production data strictly separate.
    2. Performance & Scalability
      • Azure Storage has scalability limits (e.g., transactions per second).
      • Isolating environments prevents Dev/Test workloads from affecting Production.
      • Easier to scale independently per environment.
    3. Cost Optimization
      • Separate billing & monitoring per environment.
      • Cost controls (e.g., setting different lifecycle policies for Dev vs. Prod).
      • Can enforce lower-cost redundancy options in non-production environments.
    4. Operational Flexibility
      • Easier rollback strategies (e.g., deleting ClientA-Dev storage without affecting ClientA-Pro).
      • Environment-specific storage policies (e.g., shorter retention for Dev).

    However, if managing multiple storage accounts becomes too complex, you could consider a single storage account per client, with containers per environment: 

      Storage Account: ClientA
  Containers:
  - dev-bronze
  - dev-silver
  - dev-gold
  - pre-bronze
  - pre-silver
  - pre-gold
  - pro-bronze
  - pro-silver
  - pro-gold

    To conclude, for higher security and isolation, stick with one storage account per client-environment. If complexity becomes a challenge, evaluate a single account per client with environment-specific containers.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    2 people found this answer helpful.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 35,210 Reputation points MVP
    2025-02-08T12:08:56.2933333+00:00

    In general, you should consider client isolation, environment segregation, and medallion architecture.

    1. Storage account strategy
    You have two options:

    1. Single storage account: Use one ADLS storage account and organize everything within containers and folders.
    2. Multiple storage accounts: Use a separate storage account per client for stronger isolation.

    If strict client isolation is required, use one storage account per client for better security and access control. If logical isolation is sufficient, use a single storage account and enforce security through RBAC and ACLs.

    2. Container structure
    To enforce environmental segregation, create separate containers per environment: 

    /dev/
/pre/
/pro/

    Each container will hold the medallion architecture structure.

    3. Medallion architecture (Bronze, Silver, Gold)
    Inside each environment container, organize data into three layers: 

    /dev/bronze/  
/dev/silver/  
/dev/gold/  

/pre/bronze/  
/pre/silver/  
/pre/gold/  

/pro/bronze/  
/pro/silver/  
/pro/gold/

    4. Client-specific isolation
    Since you have multiple clients, create subdirectories (virtual folders) per client under each medallion layer: 

    /dev/bronze/clientA/  
/dev/silver/clientA/  
/dev/gold/clientA/  

/dev/bronze/clientB/  
/dev/silver/clientB/  
/dev/gold/clientB/  

(pre and pro follow the same structure)

    This setup ensures that:

    • Clients' data is isolated under separate folders.
    • Each environment is clearly segmented.
    • The medallion architecture is properly structured.

    5. Security & access control
    Use RBAC at the container level and ACLs at the folder level to restrict access per client.
    Use managed identities to control read/write access at different layers (Bronze → Ingest, Silver → Transform, Gold → Query).

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    0 comments
  2. Sathvika Reddy Dopathi 10 Reputation points Microsoft Vendor
    2025-02-10T04:17:59.65+00:00

    Hi @Bravo Arribas, Miguel,

    Greetings! Welcome to Microsoft Q&A Forum, thanks for posting your query here.

    Adding additional information for the above answer:

    I understand that in your use case involving multiple clients and environments while implementing a medallion architecture in Azure Data Lake Storage (ADLS), the best approach would be to create independent storage accounts per client.

    This will ensure that data is completely isolated and cannot be mixed up between clients. Each client will have their own storage account for better governance and compliance.

    Within each storage account, you can implement the medallion architecture at the container level, creating separate containers for each environment (dev, pre, pro).

    Within those containers, implement the medallion architecture by creating virtual folders for each layer of the architecture:

    • Bronze: It will store raw data in a folder.
    • Silver: It will store cleansed and validated data in a folder.
    • Gold: It will store enriched and refined data in a folder.

    Within those containers, you can have the bronze, silver, and gold zones. This structure allows for clear organization and management of data quality across different environments while maintaining isolation between clients.

    Reference:

    What is the medallion lakehouse architecture? - Azure Databricks | Microsoft Learn

    Hope the answer helps! Please let us know do you have any further queries.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members. 

     

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.