Table of Contents
What are Azure Resource Locks?
Over the course of our learning with Azure thus far, we’ve realized that it’s fairly easy to deploy resources in the Azure cloud. In fact, it is this ease of use that has largely catapulted the push towards cloud adoption. But the shortcoming here is that it is just as easy to delete resources in the cloud as it is to deploy them. This is a common concern among organization wanting to move their infrastructure to the cloud but are sceptical about the safety mechanisms in place to prevent wrongful deletion of critical infrastructure components that could bring an organizations’ business to a standstill. An over-zealous or careless administrator can accidentally erase months of work with a few clicks. Azure Resource locks allow organizations to put safeguards in place that prevent the accidental deletion or modification of resources in Azure.
Resource locks are basically just locks that we can associate to different scopes within our Azure cloud infrastructure allowing us to override permissions at that resource scope and down. When we talk about the scope of the resource lock, we can lock subscriptions, we can lock resource groups and individual resources, and the lock restrictions that we have based off of the type of lock we select will apply to all users and roles that have access to that resource. Also, it’s worth noting that locks are inherited by child resources. So, if we apply a lock on a subscription it is inherited by all the resource groups that have been created under that subscription along with the resources that will be created under the resource groups.
Types of Azure Locks
There are two types of resource locks in Azure.
This type of lock allows the authorized users that have permissions to the resource to be able to view (read) the resource, but they can't delete or update the resource. So, there can be no modifications or deletions. Because it gives read-only permissions, even if the user has permissions to do other things such as modifying and deleting the resource, they would not be able to do so
This type of lock allows the authorized users to read and modify the resource, but they can't delete the resource because it overrides those delete permissions that the authorized users may have been granted based off of a specific role.
How to apply locks to Azure resources?
Now that we’ve understood what are resource locks and the types of resource locks, it’s type to demonstrate how to apply a lock on a resource. We are going to create a virtual machine and then we are going to apply a read only lock on that virtual machine. After applying the lock, we will examine how it affects a user managing this virtual machine.
Example - Using Azure Read Only Lock
Step 1: Create demo virtual machine
We are quickly going to create an ubuntu virtual machine via the Azure portal keeping all of the default settings as they are.
After logging in to the Azure portal, we are going to type virtual machine in the search bar and click on the virtual machine search result to navigate to the virtual machine service.
Now click on the create button on the left side under the virtual machines title to being the virtual machine creation process.
Populate the required fields in the virtual machine creation menu with appropriate values. For our example, we are going to create a Centos virtual machine named lock-demo in the Central US region.
Once you’ve specified the required values for the fields, click on Review + create. On the next page, click on the create button. Once you click on create, the below prompt will appear.
As a security best practice direct root login to Linux virtual machine is strongly discouraged and therefore, we are prompted to download the private key (to be utilized for key based authentication) and create the resource. Once you click on this button the VM deployment process will begin. Once the VM has been deployed successfully you will be shown the below message.
Click on the go to resource button to navigate to the virtual machine settings page for the VM we just created.
Step 2: Add a lock to the virtual machine
Under the VM settings page on the left, we are going to scroll down to the locks section. Click on the locks button to view any existing locks.
As you may have observed this resource currently does not have any locks associated with it. In order to add a lock, click on the add button. We will now be prompted to provide the name for our lock and it’s type i.e., read-only or delete. We will select the read only lock here and click on ok.
We will now see that a lock entity now appears in the azure resource locks section. The name and type are the same that we selected and the scope of the lock is the virtual machine lock-demo.
Step 3: Test the effect of the azure resource locks
To validate how the read only lock effects our ability to manage the virtual machine we will try to perform a couple of operations.
First, lets’ try to stop/shut down this virtual machine. For this click on the overview button in the virtual machine settings menu on the left. On the overview page, click on the stop button.
We are now greeted with the below error message
The message clearly states that we cannot perform write operations on this resource because it is locked.
Now, let’s try to delete this virtual machine by clicking on the delete button and click on ok to confirm the deletion.
Once again, the same error message will be displayed.
We are not allowed to delete this virtual machine because of the presence of a azure resource locks.
Example - Using Azure Delete Lock
In this example, we would like to point out the fact that applying resource locks are management level operations. In this example, we will create a storage account and apply a cannot delete lock on it. What happens in this case is that we will not be able to delete the storage account itself but we would be allowed to delete any data that resides within the storage account.
Step 1: Create storage account
In search bar on the Azure home page, type in storage and select storage accounts from the search results.
You will be brought to the Storage Account service page. From here click on create to create a new storage account.
Fill in the appropriate values for the subscription and resource group and provide a valid name for your storage account. Please note that the storage account name can only contain lower case alphabets and numbers. We have named our storage account lock7demo
Once satisfied with your selections, click on review + create. On the next page, click on the create button to create the storage account.
Once the deployment of the storage account has been completed successfully, you should see the “Deployment is complete” confirmation on the page. Here you will also see a “go to resource” button. Click on this button to navigate to the storage account you’ve just created.
Within our storage account, we’ve created a file share and uploaded two files in this file share as shown in the below screen shot
Please note that we are not going through the details of creating storage accounts and would explore them in depth in a future article.
Step 2: Apply the Cannot Delete Lock
On the left side menu scroll down to the azure resource locks section in the settings and click on it.
As you may observe from looking at the below screen shot, we presently do not have any locks applied on this storage account.
Click on the add button to associate a lock on this storage account. Type in a name for the lock and select delete as the lock type and then click on ok.
Our lock has now been successfully associated with the storage account lokc7demo.
Step 3: Test the Azure Resource Locks
To test the azure resource locks, let’s attempt to delete the storage account. For this, click on the overview tab in the menu options on the left side of the storage account page and then click on the delete button.
Once we click the delete button, the below error message will be displayed.
The above error message confirms the fact that our delete lock is in effect.
But what if we just wanted to delete some data from the storage account and not the account itself.
To delete data that I have in my file share, click on file share from the menu options on the left side of the page. On this page, we’ll select the demo file share that we had created.
We can see that our share along with its content are available. Now we will delete one of the files in the share i.e., Locking and Moving Resource.txt. to do so, click on the three dots towards the end of the line and select delete.
Click on yes to confirm.
The deletion operation would be successful.
But if you try to delete the file share itself then that operation will fail.
With this example, we wanted to illustrate that resource locks get applied on the entity or resource level and not to the data that resides within these resources.
Moving Azure Resources
Azure provides administrators with the ability to move resources with resource groups and also move resources to other resource groups across subscriptions. Consider an organization with multiple departments having their own subscriptions. There could be a situation in which one department no longer needs a resource but another department could use it. This is a common use for moving resources across subscriptions to save ourselves from the hassle of re-deploying the resources again in the other subscription. While moving resources there are certain criterion that must be met.
For example, if we decide to move a virtual machine then the associated infrastructure components i.e., the virtual network and any attached storage will also need to be moved along with the virtual machine. It’s sufficed to say that we need to validate the feasibility of moving resources. Not all Azure services are available in all regions. In case we have subscriptions spanning multiple geographical locations then we would run into some issues if we are trying to move a resource or service to a subscription in a region where the resource is not supported. When we move resources through the Azure portal, this validation check is run automatically by Azure.
Example: Move Azure Resources to Another Region
To move resources, navigate to the resource group where the resources you’d like to move reside in. We’d be moving the virtual machine that we had created in our earlier demonstration where in we discussed read only resource locks.
We’ll select our virtual machine which currently resides in Central US and then click on the move button. We will be given three options here and for the purpose of this demonstration we’ll move our virtual machine to a different region.
For our destination region, we’ll select EAST US 2 and then click next.
This will commence the resource movement process and the Azure portal will guide us along the way through the move process.
In this article, we discussed why need the capability to apply Azure resource locks on our resources in the cloud and explained the two types of resource locks available in Azure. We also practically demonstrated how operations on locked resources are affected and finally we briefly discussed moving resources within the Azure cloud.
While writing this article, we’ve taken help from Microsoft’s official documentation links to which have been shared below.
Control and Organize Azure Resources
Build a cloud governance strategy on Azure
Move Azure resources to another resource group