While using the Azure platform, we often come across situations where we risk inadvertently modifying or deleting critical resources, which can have significant repercussions on the operations of a business or an organization. This is precisely where Azure Resource Locks step in to provide an additional layer of protection.
There are two levels of Resource Locks in Azure:
- Read-only: This level means we can only read a resource and can’t delete or update the resource. The cannot-delete policy includes all the supporting resources that belong to it. For instance, if we set an entire resource group to read-only, we cannot delete or update any resources within it.
- Delete: The delete lock level simply means we can still modify a resource, but we can’t delete the resource.
These lock levels can be applied to different scope levels such as Resource Group, Subscription, and Resource.
- Resource Group: When applied at this level, the lock blocks the action for all resources in that resource group.
- Subscription: If applied at this level, the blocked action is extended to all resources in the subscription.
- Resource: A lock applied at this level only blocks the action for that particular resource.
Consider the scenario:
If there is a virtual machine in an environment, to protect it from being deleted, we can use Delete Lock on it. Once the Delete Lock is enabled, no user, irrespective of their privileges, can delete the virtual machine. They can only read and modify it.
To create a Delete lock for a storage account using Azure CLI, the following code can be used:
az lock create –name LockName –lock-type CanNotDelete –resource-name StorName –resource-type “Microsoft.Storage/storageAccounts” –namespace Microsoft.Storage
In this command:
- LockName is the name given to the lock.
- –-lock-type defines the lock level, which is CanNotDelete (Delete lock)
- –-resource-name is the name of the resource, which in this case is the storage account.
- –-resource-type and –namespace specify the resource type and provider for the resource.
It is important to remember that although resource locks can safeguard critical resources, they aren’t a substitute for security measures. They must be used in conjunction with role-based access control (RBAC), which regulates who has access to Azure resources and what they can do with these resources.
In conclusion, Resource Locks act as a protective barrier against inadvertent user actions, ensuring the availability and integrity of Azure resources.
They provide security measures control at a granular level, letting administrators specify what actions can be performed on a given resource. Hence, understanding Resource Locks can lead to a significant enhancement in managing Azure resources and underpins the subject matter of the AZ-900 Microsoft Azure Fundamentals exam.
Practice Test
True/False: Resource locks are used in Azure to prevent accidental deletion or modification of resources.
- True
- False
Answer: True
Explanation: Resource locks provide a way for administrators to lock down Azure resources to prevent accidental deletion or modification.
Which of the following is NOT a purpose of resource locks in Azure?
- A) To prevent accidental deletion
- B) To prevent unauthorized access
- C) To prevent modification
- D) To monitor resource usage
Answer: D) To monitor resource usage
Explanation: Resource locks do not have the function to monitor resource usage. They are designed to prevent accidental or malicious deletion or modification.
How many levels of resource locks does Azure support?
- A) One
- B) Two
- C) Three
- D) Four
Answer: B) Two
Explanation: Azure supports two levels of resource locks, namely ‘CanNotDelete’ and ‘ReadOnly’.
True/False: A ‘ReadOnly’ lock on a resource will prevent the resource from being deleted.
- True
- False
Answer: False
Explanation: A ‘ReadOnly’ lock does not prevent the deletion of a resource. It only prevents the resource from being edited.
Which of the following Azure roles can assign resource locks?
- A) Owner
- B) Contributor
- C) Reader
Answer: A) Owner
Explanation: Only the ‘Owner’ role can assign resource locks. Contributors and Readers cannot assign resource locks.
True/False: A resource lock prevents users from deleting a resource, regardless of their permissions.
- True
- False
Answer: True
Explanation: Resource locks help prevent accidental deletion of resources, regardless of the permission level of the user.
Multiple select: Which of the following can you apply a lock to in Azure?
- A) Subscription
- B) Resource group
- C) Individual resources
Answer: A) Subscription, B) Resource group, C) Individual resources
Explanation: You can apply Azure resource locks at different levels such as the subscription level, the resource group level, or the individual resource level.
True/False: You can apply multiple locks to a single resource in Azure.
- True
- False
Answer: True
Explanation: You can indeed apply multiple locks to a single resource.
Which of the following Azure roles can remove or modify Resource Locks?
- A) Owner
- B) Contributor
- C) Reader
Answer: A) Owner
Explanation: Only the ‘Owner’ role can remove or modify Resource Locks.
True/False: If a parent resource group has a ‘CanNotDelete’ lock, it will prevent deletion of resources within that group.
- True
- False
Answer: True
Explanation: A ‘CanNotDelete’ lock on a parent resource group will apply to all child resources, preventing their deletion.
Single select: The ‘CanNotDelete’ lock in Azure allows:
- A) Modification but not deletion of a resource
- B) Deletion but not modification of a resource
- C) Neither deletion nor modification of a resource
Answer: A) Modification but not deletion of a resource
Explanation: The ‘CanNotDelete’ lock allows resources to be modified but prevents them from being deleted.
True/False: You can apply a resource lock to a resource that is being deleted.
- True
- False
Answer: False
Explanation: You cannot apply a resource lock to a resource that is being deleted.
Single select: What happens if you try to delete a locked resource?
- A) Azure will prompt for confirmation before deletion
- B) Azure will outright refuse deletion
- C) Azure will delete the resource but send an alert
Answer: B) Azure will outright refuse deletion
Explanation: Azure will refuse deletion if a resource is locked, thus ensuring protection against accidental deletion.
Multiple select: Who cannot delete resources that have been locked with ‘CanNotDelete’ lock in Azure?
- A) Owner
- B) Contributor
- C) Reader
Answer: B) Contributor, C) Reader
Explanation: ‘CanNotDelete’ lock prevents resources from being deleted even by Contributors and Reader roles.
True/false: Resource locks prevent malicious activity.
- True
- False
Answer: False
Explanation: Although resource locks can provide an additional layer of protection, they are primarily designed to prevent accidental changes, not malicious activity.
Interview Questions
What is the main purpose of resource locks in Microsoft Azure?
The main purpose of resource locks in Microsoft Azure is to protect resources from accidental deletion or modification.
What are the two types of resource locks in Azure?
The two types of resource locks in Azure are Delete locks and Read-Only locks.
What does a Delete lock do in Azure?
A Delete lock in Azure prevents the resource from being deleted.
What does a Read-Only lock do in Azure?
A Read-Only lock in Azure prevents the resource from being modified.
Can you apply resource locks at different levels in Azure?
Yes, you can apply resource locks at different levels such as subscription level, resource group level or resource level.
Is it possible to delete a resource in Azure that has a Delete lock?
No, a resource with a Delete lock cannot be deleted until the lock is removed.
Is it possible to modify a resource in Azure that has a Read-Only lock?
No, a resource with a Read-Only lock cannot be modified until the lock is removed.
Who can apply a resource lock in Azure?
Only users with Owner or User Access Administrator roles can apply a resource lock in Azure.
Who can remove a resource lock in Azure?
Only users with Owner or User Access Administrator roles can remove a resource lock in Azure.
When should a Delete lock be used in Azure?
A Delete lock should be used when you want to ensure a resource is not accidentally deleted.
When should a Read-Only lock be used in Azure?
A Read-Only lock should be used when you want to prevent a resource from being modified but allow it to be deleted.
How are resource locks beneficial for an organization using Azure?
Resource locks are beneficial as they provide an additional layer of protection to prevent accidental deletion or modification of critical resources in Azure.
What happens to the resource locks if a subscription is moved to a new Azure account?
The resource locks stay with the subscription during the move to a new Azure account.
Can resource locks be inherited from parent resources in Azure?
Yes, if a resource lock is applied at the resource group or subscription level, it will apply to all resources within the resource group or subscription.
Can you apply multiple locks to a single resource in Azure?
Yes, you can apply both Read-Only and Delete lock to a single resource but the strongest lock takes precedence.
extutorials.com