Azure Resource Lock — Simple 2 Steps
What is Resource Lock?
The Resource Lock in Azure is Super powerful Resource Manager that provides Azure Admins a way to lock-down required Azure Resources and prevent them from accidental deletions and modifying of the resources. It is powerful than Role Based Access Control (RBAC), puts restrictions on the azure resources that is applicable for all type of users.
Another way to easily remember
Admin — “We have all access“
Developers — “We have some access“
Read users — “We have read alone access“
RESOURCE LOCK be like — “Whoever you are (Admin, Developers, Read Users), you all are same to me, Face me first (Edit/Delete), Go to the Resources then!“
How to implement this? Answer is very Simple, Check the below steps with pics!
STEP 1 — Sample Resource
Sample here shown is Storage Account. Mostly, all the azure resources that supports Resource Locks.
Resource Level is granularity, if we planning to go at Resources level, it’s fine but may be time consuming. We can put resource locks at Resource Group level too. (Even Subscription also supports Resource Locks, but it is up to us and our purpose of doing so)
STEP 2 — Locks Blade/Option in each Azure Resource’s Left side menu list
All Azure Resources/ Resource groups/ even Subscriptions have RESOURCE LOCK Option (Locks Blade).
STEP 3 — Click + Add in Locks blade, to add Resource Locks
STEP 4 — Provide Lock Name & Notes of Lock and Understand Choosing Lock Types
Lock Types — 1. Delete 2. Read-alone
1.Delete Lock Type — This type of resource lock prevents resources from deleting, but it will not stop updating/making changes of the resources.
2.Read-alone Lock Type — This type of resource lock prevents resources from deleting/updating/making changes. Read alone it will permits. Even API calling sometimes it thinks it may be update and it would throw error. (so, it is risky to use in hot access things, for cold access things, its recommendable like archives)
Choosing Lock Types is up to us and as per our use case. DELETE as RESOURCE LOCK is recommendable to prevent accidental deletes!
STEP 5 — Edit or Delete Locks to change Lock Types and Notes
Azure Admins can change Lock types and notes in Locks by clicking Edit icon and can click Delete to remove locks!
By default, none of the resources have any Resource Locks.
STEP 6 — What happens if anyone deletes resources when Resource Lock is there?
STEP 7 — Resources won’t get deleted by anyone (even admin can’t do) unless Resource Lock gets Edited or Deleted
STEP 8 — If Non-Admins tried…
Summary
Steps 1, 2 — To Understand regarding Resource Locks, how it sits outside and different from RBAC, and Sample Resources.
Steps 3, 4 — Actual 2 steps to put Resource Locks!
Step 5 — To Edit or Delete Resource Locks!
Steps 6, 7, 8 — what will happen if we delete the resource that is having Resource Locks, and how it looks like if we don’t have access and try Resource Lock!