Just as you do on-premises, you must secure your resources. Learn how to lock Azure resources, using the portal, a template and PowerShell.
- [Instructor] After you have spent all the time to configure your resources, the last thing you want is for that resource to be accidentally deleted. We can prevent this using Azure Locks. Objects that we can lock include the subscription itself, resource groups and specific resources. In order to lock a resource, you must either have the Microsoft.Authorization or the Microsoft.Authorization/locks right.
Only the owners and user access admins have these rights. If you only have the contributor role, you will not be able to implement locks. There are two lock levels within Azure. First of all, there's the CanNotDelete. Resources could be read and modified but cannot be deleted. And then there's the ReadOnly. In this case, resources can be read but the resources cannot be deleted or updated or modified. Applying the ReadOnly lock may lock down the resource too much because other operations are required.
So let's go ahead and pop into Azure and start off with showing you how we do it via the Portal. As you can see, I'm in the Portal. Go to Resource groups. And then let's take a look at SimpleVM again. You'll notice that we have several resources within this resource group. And I'll lock three of these resources using three different methods. The first one is the easiest one. I'm going to go ahead and click on SimpleVM. I'm going to scroll down a little bit until I find Locks under Settings.
And add a lock. Provide a lock name. I'm going to provide my lock type. Again, I can choose a Delete or Read only. I'm going to go ahead and use Delete and I could provide some notes if I wanted to do so. I can go ahead and click OK. Now that virtual machine cannot be deleted. I could also apply this lock at the resource group level or at the subscription level if I wanted to do so. If I wanted to delete a lock, I have to scroll all the way over to the Contacts menu and then click Delete.
That's it. That simple. That VM is now protected. While we're still in the Azure Portal, let's go ahead and look at how we apply a lock using a template. I'm going to go ahead and close this blade. Next I'll scroll down until I find Templates. If you do not have Templates in your list, scroll all the way down, go to More services and then Search. You'll notice that I already have a couple of templates available to me.
We'll be working on the vnetlock template. As we can see, this applies a lock to a virtual network. In the last chapter, I showed you how to upload templates into Azure. Please refer back if you haven't done that as of yet. In this case, I have already uploaded our template into Azure. And I can take a look at what this template will do. We can see the schema, our parameters and our parameters will be providing the name of the lock resource. It will be a string.
And scroll over a little bit, we'll see that the resource that we're working with will be our virtual network, providers and then locks. And in this case, it's also a cannot delete. And go ahead and close this. Let's go ahead and deploy this. The first thing I need to do is apply the resource group. We're going to do it to the SimpleVM again. And our network happens to be called simplenetwork. You'll have to scroll down. You'll have to agree to the terms and conditions.
And finally, Purchase. And the reason that Microsoft uses the word Purchase here is if this template was deploying additional resources, you would incur cost for those. I'm going to go ahead and click Purchase. This will take a moment. We can now see there is SimpleNetwork was locked. But let's double check it. We'll click in the SimpleNetwork and we'll click on Locks. And there's our vNetLock. And finally, we can lock resources using PowerShell.
I'm going to show you how we're going to lock the storage account using PowerShell. First thing I need to do is launch PowerShell. To do so, I am using ISE. So I've clicked the Windows key. I'm going to search for ISE. And I'm going to run it as administrator. First thing I need to do, as we always do, is log into our Azure account. Using the command, login AzureRmAccount. And I'll run that command.
I can see that I am not in the right subscription. Therefore, I need to change my subscription. To do so, I'm going to use the command select AzureRmSubscription and then I'll provide the subscription ID. I'm going to go ahead and run that command. We can now see that I am in the correct subscription. We can now go ahead and apply that lock to our storage account within our SimpleVM resource group.
To do so, we'll start off with using the command-let new AzureRmResourceLock. I'm going to provide the lock level of cannot delete. I'm going to provide the lock name, the resource name. In this case, it will be the storage disk that are associated with our VM. Next our resource type. And in this case, it will be microsoft.storage/storageaccounts.
And finally, our resource group name. Which is SimpleVM. And go ahead and run that command. I am being prompted with a warning. Yes, I am sure I want to do this. So here we can see we have an error. So obviously, I've typed something wrong. So now it's a matter of trying to figure out what I mistyped. In here, I can actually see new Azure resource lock, the resource is not found. At least it gives me an idea where to look.
Now I can scroll over and go, well microsoft.storage is correct. My storage accounts is correct and my SimpleVM, oh wait, I have simpledisk. I do not have simplevmdisk and that's my error. I'm going to pop back up. Enter in VM and now I'm going to go ahead and re-run that command. Yes, I'm being prompted for the warning again. And there we are. The lock has now been applied. Normally, you would probably put all of these into a single script that you would run in one shot.
I like to do it in ISE and run through each command to show you each step of that script. And there you have it. You can apply locks with the Portal, using a template or through PowerShell.
- Implementing Azure Resource Manager templates
- Creating a template from a deployment
- Deploying a template using the portal
- Deploying a template using PowerShell
- Using Azure Quickstart Templates
- Using service principals
- Locking Azure resources
- Securing Azure subscriptions
- Azure active directory roles
- Designing custom RBAC roles