Resource locks are Azure tools for protecting your resources from unauthorised or accidental modifications and deletion. Locks can be used to protect Azure Subscription, Resource groups and individual resources. When a lock is applied on any of the aforementioned, it supersede any permission or authorisation the User may have.
There are two types of Locks in Azure. On the Azure portal, these locks are called Delete and Read-only. In the command line, they are called CanNotDelete and ReadOnly.
CanNotDelete means authorized users can read and modify a resource, but they can not delete it.
ReadOnly means authorized users can read a resource, but they can not delete or update it.
It is also worthy of note that when lock is applied at a parent level, for example, on a resource group, all resources within that group will inherit the lock. Even when a resource is added to a resource group that has a CanNotDelete lock, after the lock has been applied to the group, the new resource will inherit the group lock. Locks protect a resource from changes, but they do not restrict how a resource performs its functions.
In this blog we will show how to manage resource locks in Azure. We will also show the effect of locks on resources. I will create a resource group and add a resource to it. A Resource lock will be added to the Resource group. We will test the lock by trying to delete the resource from the group. Then we will remove the lock and try to delete the resource again.
Come on! Lets start.
Log in to Azure Portal and select Resource group
Click on Create
Complete the Project details. My subscription is Azure Pass Sponsorship. I will name the Resource group UniRg and select East US as the Region
Click on Tags and create one for the Resource group. The Name:Value pair will be Yemmy Oye: Procurement
Click on Review and Create
When validation is passed, click on create
The Resource group UniRg has been created
Go back to Azure portal and add resource to the Resource group. Here, I want to add a Storage account.
On azure portal, select Storage account
Click on create and complete the Project details. My subscription is Azure Pass Sponsorship. Select the Resource group UniRg created earlier
Complete the Instance details. I will name the storage account yemistore. Remember that the name must be in lower case.I will leave other details at default.
Click on Review
Click on Create and wait for the deployment to complete
Go to Resource
The Storage account yemistore has been created
Go back the Resource group UniRg and click on Locks
Then click Add
I will name the Lock neverdelete and select Delete as the Lock type
A note is also added stating that:
"this will protect the resources in this group from unauthorised deletion"
Click OK
The Lock neverdelete has been applied to the Resource group UniRg. All resources in this group inherits the lock.
Come on! Lets test this out.
Go back to the Overview page of the Resource group UniRg and click on the Storage account named yemistore
To test the lock applied to the Resource group UniRg that contain the storage account yemistore, we will try to delete the storage account and observe what happens.
Click on Delete
You can see from the above image that the Resource yemistore can not be deleted because it has inherited the Lock neverdelete applied to its parent UniRg
Lets try to remove the Lock on UniRg and observe what happens next
Go to the Resource group and click on Locks
Then click on the Delete button on the right hand side of the Lock, neverdelete
The Lock on the Resource group has been deleted
Now, go back and try to delete the storage account again
Specify the Storage account name to be deleted
Then Click Delete
Confirm delete
The Storage account yemistore has been successfully deleted because the Lock on its parent has been removed.
Great!! Isn't it?
That is an amazing tool on Microsoft Azure for securing your resources.
Your feedbacks will be appreciated.
Top comments (0)