Azure Locks: Saving your resources from Accidents

In Azure Deleting or making changes to resources are much easier then actually creating, It doesn’t mean that provisioning resources is tough but just that deleting them is easier.

Mistakes happen, and that is a universal truth. The best you can do is limit the cost these mistakes. And a mistake of deleting a critical resource can cause damages of millions or even more. If you think that cannot happen assume someone deleting your production SQL Server service, yes that’s possible and again by just clicking 2 buttons.

Before talking about locks let me show you how easy it is to actually delete a resource in Azure, why just resource but a whole resource group. And that is a non-reversible change.

RG example

Let’s say I wish to delete Logic apps, I selected the logic app from here but instead of clicking Delete, I clicked on “Delete Resource Group” instead.

It just ask to re-enter the name of the RG and you are done.

Deleting RG

The important thing is, yes it’s two step process, but again that is also true that mistakes happen. And when a mistake has the potential to bring down your whole business it’s better to be on the safer side.

What are Locks?

A lock is as the name suggest, putting lock on your resources. There are two types of locks, one which do not allow anyone to delete the resource, secondly to prevent anyone from changing the settings of the resource.

When we say anyone cannot make the change that means anyone, if there is a lock stopping from deletes then even an Owner of the resource cannot delete it. It can only be done after removing the lock.

How to implement Locks?

The two things to know before putting a lock:

  1. A lock is automatically inherited to the lower resources, example a lock on Resource Group is also inherited by any existing or future resource inside that Resource Group.
  2. By putting Read only locks, there are some resources which do work as expected. To check about that refer this link.

As said before, there are two types of locks they are Read-Only and Delete.

  • CanNotDelete means authorized users can still read and modify a resource, but they can’t delete the resource.
  • ReadOnly means authorized users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.

To implement locks, go to the concerned resource and you will find “Locks” under the Settings tab. Once in it, you can add a new lock.

Putting locks

Once created, if someone try deleting this Resource Group the process will fail with the below error.

Delete notification

Summary

We cannot stop from mistakes happening in the environment, but can be better prepared and safe guard the critical resources. In Azure there is an option to put Locks on any Resource, Resource Group or even Subscription to prevent from making changes to the resources.

One thought on “Azure Locks: Saving your resources from Accidents

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s