Tutorial / Cram Notes
They ensure that critical resources remain untouched during routine maintenance or when several administrators have access to the same environment. Resource locks can be applied to any resource or to a resource group in Azure, providing a safeguard mechanism at different scope levels.
Types of Resource Locks
Azure provides two levels of locks:
- ReadOnly: When applied, users can read a resource, but they cannot delete or update the resource. Applying this lock means you cannot even start or restart the compute resources like VMs.
- Delete: This lock allows all operations against the resource except delete, so resources can be modified but not removed.
Applying Resource Locks
Locks can be applied through various methods: Azure Portal, Azure CLI, Azure PowerShell, or ARM templates.
Azure Portal
- Navigate to the resource or resource group you want to lock.
- Select “Locks” from the settings menu.
- Click on “Add” to create a new lock.
- Provide a name and lock level (Delete or ReadOnly).
- Save the lock.
Azure CLI
To create a resource lock with Azure CLI, use the following command:
az lock create –name <LockName> –lock-type <LockType> –resource-group <ResourceGroupName> –resource <ResourceName> –resource-type <ResourceType>
Azure PowerShell
For Azure PowerShell, the command is:
New-AzResourceLock -LockName <LockName> -LockLevel <CanNotDelete|ReadOnly> -ResourceName <ResourceName> -ResourceType <ResourceType> -ResourceGroupName <ResourceGroupName>
ARM Templates
To define a lock in an ARM template, you need to add a “Microsoft.Authorization/locks” resource to your template:
{
“type”: “Microsoft.Authorization/locks”,
“apiVersion”: “2016-09-01”,
“name”: “LockName”,
“properties”: {
“level”: “CanNotDelete”,
“notes”: “Optional lock notes”
},
“scope”: “/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}”
}
Managing and Removing Resource Locks
Managing locks involves viewing existing locks and potentially removing them when changes need to be made to the locked resource.
Viewing Existing Locks
- In the Azure Portal, navigate to the “Locks” section of the resource or resource group.
- Using Azure CLI, list locks with the command
az lock list. - In Azure PowerShell, get locks using
Get-AzResourceLock.
Removing Resource Locks
When you need to remove or alter the resource, the lock can be deleted by:
- Selecting the lock in the Azure Portal and pressing “Delete”.
- Using Azure CLI, remove a lock with
az lock delete --name. - With Azure PowerShell, delete with
Remove-AzResourceLock -LockName.
Best Practices
- Apply locks carefully, especially ReadOnly, as this can stop automated tasks and services from running.
- Document the purpose of each lock in its notes to communicate the intent to other team members.
- Regularly review and manage locks to ensure they remain relevant and accurate to the current state of resources.
Conclusion
Resource locks are a critical feature for Azure administrators, providing a simple yet powerful way to protect Azure resources from unintended alterations or deletions. By understanding how to configure these locks and implement them as part of your operational best practices, you can maintain a more secure and stable cloud environment. Remember to apply locks judiciously and maintain clear documentation for the rationale behind each lock. As part of the AZ-104 Microsoft Azure Administrator exam, understanding resource locks is crucial to demonstrate effective resource management and governance in Azure.
Practice Test with Explanation
True or False: Resource locks can be applied to resource groups and subscriptions in Azure.
- (A) True
- (B) False
Answer: A
Explanation: Resource locks can be applied at various levels including the subscription, resource group, and resource levels.
Which types of resource locks are available in Azure? (Choose two)
- (A) Read-only
- (B) Delete-only
- (C) Do Not Delete
- (D) CanNotDelete
Answer: A and D
Explanation: Azure provides two levels of resource locks: Read-only and Delete (CanNotDelete).
True or False: Once applied, resource locks can’t be removed or altered by any user, including administrators.
- (A) True
- (B) False
Answer: B
Explanation: While resource locks prevent resources from being accidentally deleted or changed, they can be removed or altered by users with the necessary permissions.
True or False: Applying a Do Not Delete lock on a resource group prevents all resources in that group from being updated.
- (A) True
- (B) False
Answer: B
Explanation: A Do Not Delete lock (also known as CanNotDelete) prevents resources from being deleted but does not prevent updates to them.
Which Azure role must a user have to apply or delete resource locks?
- (A) Owner
- (B) Contributor
- (C) Reader
- (D) User Access Administrator
Answer: A
Explanation: Users must have the Owner role or User Access Administrator role to manage resource locks.
True or False: Resource locks prevent Azure services from automatically managing resources, such as scaling operations.
- (A) True
- (B) False
Answer: B
Explanation: Resource locks do not interfere with the automatic management of resources by Azure services, such as auto-scaling operations.
Resource locks can be managed using which of the following? (Choose three)
- (A) Azure Portal
- (B) Azure CLI
- (C) Azure PowerShell
- (D) Azure Active Directory
Answer: A, B, and C
Explanation: Resource locks can be managed through the Azure Portal, Azure CLI, and Azure PowerShell. They are unrelated to Azure Active Directory.
True or False: Applying a Read-only lock to a resource group will allow users to add new resources in the resource group.
- (A) True
- (B) False
Answer: B
Explanation: Applying a Read-only lock to a resource group or resource prevents all modifications, including the addition of new resources.
Which CLI command can you use to create a CanNotDelete lock on a resource named “MyResource” in the resource group “MyResourceGroup”?
- (A) az lock create –lock-type CanNotDelete –name MyLock –resource MyResource –resource-group MyResourceGroup
- (B) az lock create –lock-type CanNotDelete –name MyLock –resource-group MyResourceGroup
- (C) az resource lock create –lock-type CanNotDelete –name MyLock –resource MyResource –resource-group MyResourceGroup
- (D) az lock create –lock-type CanNotDelete –name MyLock –resource MyResource –resource-type MyResourceType –resource-group MyResourceGroup
Answer: D
Explanation: The correct command includes specifying the lock type, name, resource, resource type, and resource group.
True or False: Resource locks can be applied to an individual resource, such as a virtual machine.
- (A) True
- (B) False
Answer: A
Explanation: Resource locks can be applied to individual resources, resource groups, and subscriptions.
When a resource lock is set at the subscription level, what resources are affected?
- (A) Only resources within the default resource group.
- (B) Only resources directly under the subscription, not within any resource group.
- (C) All resources within the subscription, including those in all resource groups.
- (D) No resources are affected as locks cannot be applied at the subscription level.
Answer: C
Explanation: When you apply a resource lock at the subscription level, all resources within the subscription, including those in all resource groups, are affected.
Which is NOT a valid scenario for using resource locks?
- (A) To prevent accidental deletion of a critical resource.
- (B) To enforce compliance by restricting changes to resources.
- (C) To grant a user temporary read-only access to a resource.
- (D) To permanently make a resource read-only with no option for unlocking.
Answer: D
Explanation: Resource locks are not meant to make resources permanently read-only; they can always be managed by users with the appropriate access rights.
Interview Questions
What is a resource lock in Azure?
A resource lock is a feature in Azure that allows you to lock a resource or a resource group to prevent accidental deletion or modification of critical resources.
What are the two types of resource locks in Azure?
The two types of resource locks in Azure are CanNotDelete and ReadOnly.
What is the CanNotDelete lock type in Azure?
The CanNotDelete lock type in Azure prevents users from deleting the locked resource, but allows all other actions such as modifying or reading the resource.
What is the ReadOnly lock type in Azure?
The ReadOnly lock type in Azure prevents users from deleting or modifying the locked resource, but allows them to read the resource.
How can you configure a resource lock in Azure?
You can configure a resource lock in Azure by navigating to the resource or resource group, selecting the Locks option under the Settings menu, clicking the Add button to add a new lock, and selecting the lock type.
How can you remove a resource lock in Azure?
You can remove a resource lock in Azure by navigating to the resource or resource group with the lock, selecting the Locks option under the Settings menu, selecting the lock to remove, and clicking the Delete button.
Who can remove a resource lock in Azure?
Only users with the appropriate permissions can remove a resource lock in Azure.
What happens when a user tries to delete or modify a locked resource in Azure?
If a user tries to delete or modify a locked resource in Azure, they will receive an error message indicating that the resource is locked.
Can a resource lock be modified after it is applied to a resource or resource group?
Yes, a resource lock can be modified after it is applied to a resource or resource group.
How can you view the list of locked resources in Azure?
You can view the list of locked resources in Azure by navigating to the Locks option under the Settings menu in the Azure portal.
Can a resource group be locked in Azure?
Yes, a resource group can be locked in Azure.
How can you ensure that your resources remain safe and secure in Azure?
You can ensure that your resources remain safe and secure in Azure by configuring resource locks and assigning appropriate permissions to users.
Is it possible to have multiple resource locks on a single resource in Azure?
Yes, it is possible to have multiple resource locks on a single resource in Azure.
Can resource locks be applied to all resources in a subscription at once?
No, resource locks need to be applied to each resource individually in Azure.
What is the importance of resource locks in Azure?
Resource locks are important in Azure as they help prevent accidental deletion or modification of critical resources in a subscription.
Great post about configuring resource locks in Azure! It really helped me understand the importance of lock levels.
Can someone explain the difference between a ‘CanNotDelete’ lock and a ‘ReadOnly’ lock?
How do resource locks affect inherited permissions on a resource group?
Is it possible to override resource locks with specific roles?
Thanks for this informative post!
Resource locks are great! But I wonder, is there a way to apply locks programmatically?
Important to note: Resource locks don’t encrypt data. They are only for preventing accidental changes or deletions.
Configuring locks via the Azure portal is straightforward but I prefer using JSON templates for consistency across deployments.