Prevent Azure Resources from unexpected deletion using Locks

Cloud Computing is excellent, and you can deploy and delete services in seconds and go full speed. However, with that, there are also many challenges that are coming your way. Think about control over cost, security, or compliance. You don’t want everyone to be able to deploy a large virtual machine to test their application, and you might also not want people deploying services all over the world using one of the Azure regions worldwide. The way to prevent things like this is called technical governance. However, it can be implemented in different ways.

The traditional approach was that you set a team or a person in front of the cloud, which can be called a cloud custodian or cloud broker team. And this team then decided on which services are going to get deployed and how. Now with that approach, people and processes become the limiting factor if you look at speed and agility.

To take advantage of speed and agility of the cloud, you want to give developers, operations people, or even teams and divisions in your company, but stay in control of the cloud environment. With Azure, we provide you with exactly these management tools, to make sure that you can keep control, but also keep the speed and agility the cloud promises.

Azure Resource Manager offers a couple of different tools for Azure Governance like Management Groups, Azure Policies, Azure Blueprints, Cost Management, and many more. In this quick blog, we will have a look at one of the basics called Azure Locks, which are part of the foundation. 

Lock resources to prevent unexpected changes and deletion of Azure resources

We all have been there, we wanted to clean up some resources quickly or quickly run a script which changes a couple of settings, and we realized we just made a huge mistake. That is why it is great to have some locks in place to prevent unexpected changes and deletion to happen. With locks in Azure, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources.

Lock Types

You can find more information about the lock types here.

Permissions to create or delete locks

You will need to have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* to create or delete locks. By default, only the build-in roles Owner and User Access Administrator have these permissions.

Locks apply restrictions across all users and roles and can be applied to different scopes. These scopes are subscription, resource groups, or resources, and all resources within that scope inherit the same lock. If you have multiple locks in place, the most restrictive lock in the inheritance is applied. If you want to know more about permissions to set locks, you can find more information here.