Saving your production workload on Azure using Azure Resource Locks

Think of a scenario where you spend hours or maybe days to setup an environment required for a software. This can be couple of VM’s with required resources and parameters. Now consider a scenario someone in your organization who have access to same Azure subscription or even you who accidently ran a PS command and delete that resource group accidently….OUCH!

To prevent some of the above scenarios we have RBAC (Role Based Access Control) and limit who can access resources but it will never eliminate all the possible scenarios. This is where Azure Resource Locks come into the picture. This nighty feature also shines if your organization have proper cloud management policies are in place.

Good thing is Microsoft Azure Team has introduce this feature everywhere in the Azure portal – you can apply at Subscription, Resource Group, and Resource level and there is a hierarchy. If you apply is on the subscription level every resource is protected from this policy. Or better you may only want to apply this to production Resource Groups and exclude rest, yep it’s possible thanks to Azure policies concept.

For deep dive into this feature please referrer to official Microsoft documentation. You can reach there from here.

Of let’s dive in my friends Smile

The Azure locks come in two flavors. Read-Only and Delete. Read-Only option will not allow you to perform and changes to the resources when applied. This is also really useful when you don’t want any changes carried out to the resources. Eg: Changing VM size or adding disks….etc

Whereas on the Delete option you’re prevented from deleting the resources in a resource group. If Read-Only option not combine then you’re allowed to carry out the changes to the resources.  

Note: Only Owner and User Access Administrator roles can create or delete management locks

Ok I mentioned resource lock option is everywhere on Azure portal. Reason being is Azure team allows you to go into object level and provide this feature. That being said let me share few screenshots to prove the point.

image

Picture 1: Above picture shows Lock option available for a vNet.

image

Picture 2: Above picture shows Lock option available for a virtual disk

image

Picture 3: Above pictures shows the Lock option available for Resource Group

Ok I assume you’re satisfied from my point Smile Now let’s dig down to this feature.

On this scenario we’re a Resource Group called “DemoRG001” which hosts one important VM for a organization and it’s associated resources. After creating this RG we want to make sure to protect the RG and it’s objects from accidental damages from internal team members who are supposed to look after the Azure subscription.

As we saw in the first part of this article, Azure locks can be defined by two types: Read-Only and Delete. Using Azure Portal, click on Resource Groups, and then click on the desired resource group, in our case DemoRG001, and then click on locks.

image

In the new window that is display provide a name for the Lock name section and Lock type and also Notes which can be useful for later review

image

image

Note: If you’re a PS junkie (who shouldn’t be Smile) below is the command to create the required outcome.

New-AzResourceLock -LockName <lockName> -LockLevel CanNotDelete -ResourceGroupName
<resourceGroupName>

Eg: New-AzResourceLock –LockName LCKRG001 -LockLevel CanNotDelete -ResourceGroupName
DemoRG001

Now we’re setup preventing delete option to the resource group. With this feature activated let’s try to delete one of the resource inside the Resource group and observe the outcome.

I’ve tried to delete the vNet and the outcome is as follows,

image

To verify above from PS try Get-AzResourceLock

Error message highlighting the reason as “operation because following scope are locked”

You can try doing this across and object inside the Resource group and the result will be the same.

Audit the actions

If we think carefully about the above scenario we can take into consideration about logs, alerts and security. Think carefully by wearing the security person’s hat. We would like to see who tried to access the resource group and especially try to do malicious activity. Since Activity log capture every activity we can monitor what really happened by observing the logs.

image

image

Azure Resource Lock is a nifty feature and very useful for production environment. Combined this with RBAC will be great combination for granular level control of the resources as well as for security.

Now I know demonstration values more so here goes the video for you Smile

https://www.youtube.com/watch?v=iy1jtyoP7Ok

Any questions lads?