What are Azure Resource Locks?
In Azure, resources locks are a setting one can apply to any resource to block modifications. The locks provide a safeguard against accidental deletion or alteration of a resource. There are two types of resource locks in Azure:
- Delete Lock: This lock prevents the user from deleting the resource.
- Read-Only Lock: This lock blocks any changes to a resource; however, it doesn’t prevent the resources from being read or deleted.
Let’s understand the procedure to configure these locks.
How to Configure Resource Locks in Azure
Resource locks can be configured during resource creation or after a resource has been created.
Configuring Resource Locks During Resource Creation
During the creation of a new resource, in the ‘Review + Create’ panel, click on ‘Go to subscription blade’. You will be navigated to the ‘Subscriptions’ blade. Here, press the ‘Resource locks’ button in the section ‘Settings’.
In the ‘Locks’ blade, press ‘+ Add’. Add in details; lock name, and lock type. Press ‘OK’ to finish.
Configuring Resource Locks After Resource Creation
After creating the resource, in the resource’s settings menu, you will find ‘Locks’. Press it. In the new window, press ‘+ Add’ to bring up the ‘Add Lock’ interface. From here, similar to creating resource locks during creation, fill in the details and press ‘OK’.
Configuring Resource Locks via Azure CLI
Using Azure’s CLI, you can also add a lock to a resource with the following command:
az lock create –name MyResourceLock –lock-type CanNotDelete –resource-name MyResource –resource-type “Microsoft.Compute/virtualMachines” –namespace Microsoft.Compute –parent servers
In the command above,
- MyResourceLock is the name of your lock,
- CanNotDelete specifies the lock type,
- MyResource is the name of the resource, and
- Resource type and namespace are given as Microsoft.Compute/virtualMachines and Microsoft.Compute respectively.
Properly managing Azure resources is essential. Without correct configurations and settings, resources can be accidentally deleted or altered, potentially causing problems in your Azure environment.
As we conclude, understanding how to configure resource locks is an essential skill for anyone who wishes to pass the AZ-104 Microsoft Azure Administrator exam, and is crucial in preserving the integrity and stability of your Azure environment.
Remember, use resource locks whenever you want to provide safeguards against accidental deletion, or when it’s necessary to freeze resources to prevent any changes. Be aware that once applied, these locks apply to everyone, including administrators. Therefore, use them cautiously!
Keep learning and exploring more about becoming an Azure Administrator with the AZ-104 certification exam.
Practice Test
True or False: A Resource Lock in Azure is used for locking resources to prevent accidental deletion or modification.
- True
- False
Answer: True
Explanation: Resource locks provide a way to protect resources from accidental deletion or modification by providing two lock levels: “CanNotDelete” and “ReadOnly”.
Which of the following types of locks are available in Azure?
- a) ReadOnly
- b) CanNotDelete
- c) Both a & b
- d) None of the above
Answer: c) Both a & b
Explanation: Azure provides two types of locks: “ReadOnly”, which only allows read operations, and “CanNotDelete”, which allows both read and write operations but prevents deletion.
The only way to remove a lock on a resource in Azure is to delete the resource.
Answer: False
Explanation: Locks can be removed from a resource without deleting the resource.
What stages can a resource be at to set the level of lock in Azure?
- a) Subscription
- b) Resource Group
- c) Resource
- d) All of the above
Answer: d) All of the above
Explanation: The lock level can be set at either of the three stages: Subscription, Resource Group, or the Resource itself.
Once a resource is locked, it cannot be unlocked.
Answer: False
Explanation: A resource lock can be removed by someone with appropriate access.
True or False: A Delete lock on a subnet prevents the deletion of the virtual network.
- True
- False
Answer: True
Explanation: A Delete lock on a subnet will prohibit deleting the parent resources, in this case, the virtual network.
Who can apply, modify, or remove locks?
Answer: An account with Owner or User Access Administrator role within Azure.
Explanation: Because locking is a powerful capability that can halt resource operations, only the Owner or User Access Administrator role has these permissions.
True or False: A lock on a parent resource does not apply to child resources.
- True
- False
Answer: False
Explanation: When you apply a lock at a parent scope, all resources within that scope inherit the same lock.
What is the primary purpose of resource locks in Azure?
Answer: To prevent accidental deletion or modification of a resource.
Explanation: The main purpose of resource locks is to protect Azure resources from accidental changes or deletions.
Can a CanNotDelete lock prevent virtual machines from being stopped?
Answer: No
Explanation: The CanNotDelete lock doesn’t prevent the operations of a resource, it only prevents the resource from being deleted.
True or False: Locks block not only users but also applications and services from making changes.
- True
- False
Answer: True
Explanation: Locks block any users, applications, or services from making deletions or changes to locked resources.
Do Azure Resource locks affect resource performance?
Answer: No
Explanation: Resource locks are used to protect resources and do not have any impact on the performance of the resources.
True or False: A ReadOnly lock allows users to read a resource but not delete it.
- True
- False
Answer: True
Explanation: A ReadOnly lock permits read operations but blocks all write and delete operations.
What type of lock should be used to prevent any changes to a resource?
Answer: ReadOnly
Explanation: A ReadOnly lock ensures the resource can only be read and not modified.
Can a CanNotDelete lock allow changes to be made to a resource but not its deletion?
Answer: Yes
Explanation: The CanNotDelete lock, as the name suggests, allows changes to be made to a resource but blocks its deletion.
Interview Questions
What is the purpose of Azure Resource Locks?
Azure Resource Locks helps prevent accidental deletion or modification of critical resources in Azure. It allows an administrator to apply a lock at different scopes (resource group, subscription) to protect the resources within it.
What are the different types of Azure Resource Locks?
There are two types of locks that Azure offers: Delete Locks and Read-Only Locks. The Delete Lock prevents the resource from being deleted, while the Read-Only lock prevents any changes from being made to the resource.
Can I apply a resource lock to a resource that is currently being deployed?
No, you cannot apply a resource lock to a resource that is currently being deployed. You must wait until the deployment is completed.
How can you create a resource lock through the Azure portal?
To create a resource lock through the Azure portal, navigate to the settings of the desired resource, click on ‘Locks’, then click ‘Add’. You can then specify the lock type and name.
Can a user with ‘Guest’ access apply or remove resource locks?
No, applying or removing resource locks requires at least ‘Contributor’ access, therefore a user with ‘Guest’ access cannot do this.
Can you override or bypass a resource lock?
No, once a resource lock is set, it cannot be bypassed or overridden. The only way to modify or delete the resource is by removing the lock.
How can you remove a resource lock?
A resource lock can be removed via the Azure portal by navigating to the ‘Locks’ section in the settings of the resource, and then selecting ‘Delete’. This can also be performed using Azure Powershell or Azure CLI.
What is the difference between ‘CanNotDelete’ and ‘ReadOnly’ locks in Azure?
‘CanNotDelete’ locks prevent the resource from being deleted, but still allow it to be modified. ‘ReadOnly’ locks on the other hand prevent both deletion and modifications to the resource.
What actions are required to manage Resource Locks in Azure?
The Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions are required to manage Resource Locks in Azure.
Can a locked resource be moved to a new resource group or subscription?
Yes, a locked resource can be moved to a new resource group or subscription, but you must have the necessary access to remove the lock and reassign it after the move.
Can I apply a lock to a subscription in Azure?
Yes, you can apply a lock to a subscription. This would apply the lock to all resources within the subscription.
If a resource group has a Read-Only lock, can a resource within the group have a Delete lock?
No, a resource cannot have less restrictive lock than that of its parent resource group or subscription. If the resource group has a Read-Only lock, the resource within it cannot have a Delete lock.
Is there a limit to the number of resource locks you can have in Azure?
No, there is no documented limit to the number of resource locks you can create in Azure.
How do resource locks affect availability of applications?
Resource locks do not affect the operational side of the resources, thus they do not have any effect on the availability of applications. They only restrict the ability to delete or modify the resources.
If a resource is locked with a ‘ReadOnly’ lock, can I still view and read its properties?
Yes, a ‘ReadOnly’ lock does not prevent viewing or reading a resource’s properties. It only prevents modifications to the resource.