Role based access (RBAC) provides granular control over access to resources but it cannot prevent accidental deletions or modification to resources. organizations may need to lock a subscription, resource group, or resource to prevent accidental deletions or modifications to critical resources. I work in very in a large team and found locks very helpful to prevent unwanted modification to NSGs and Route tables that are shared across resources with in same subnet.
Let’s get started
There are two types of locks in azure.
- CanNotDelete (Delete), Users can read and modify resources but can’t delete the resource.
- ReadOnly , Users can read a resource, but can’t delete or update the resource.
Locks can be applied at subscription level, resource group level or to the resource directly, locks at the parent scope gets inherited by all children, i.e. , if a lock is applied at resource group level all resources within the resource group inherits the lock, also applies to any new resources created later in resource group.
Microsoft.Authorization/* or Microsoft.Authorization/locks/* permission are required to create or delete locks.
Let’s add lock to a resource.
- In the resource panel under Settings, click Locks.
- In the Locks pane, click + Add.
- Enter lock name, and then select Read-only or Delete from the Lock type menu.
- Enter description in the Notes field(Optional).
- click OK.
Since Delete lock is added on my VM, Azure will prevent it from deleting until lock is removed.
Locks are very useful when you are working in large team or to prevent surprises to prod environment. locks can be setup using ARM Templates , PowerShell or Azure CLI, refer to below URL for more information.
Prevent Accidental Deletion of Resources in Azure with LocksTweet