Protect Azure Resources from Accidental Changes and Deletion

Cloud-Lock-570x342

A topic that comes up often in conversations about the Cloud is “How do I protect Virtual Machines and other Cloud resources from accidental deletion?”.  Microsoft Azure provides a simple and effective way for Administrators to do this through “Locks”.

When combined with other administration best practices, like backups, Locks allows administrators to ensure resources are not accidentally or intentionally changed, deleted, or otherwise modified.

Locks have two settings:

  • CanNotDelete – Limiting the ability of users to delete the Azure resource but allowing for changes in the configuration
  • ReadOnly – Limiting the ability to delete or make changes to the Azure resource

When creating and applying Locks, administrators can create Locks and apply them at all levels of the Hierarchy.  For example, applying a Lock to a Resource Group will apply that Lock to all the child objects (and their children) of the Resource Group.  Newly created resources within the group will automatically inherit the Lock.

How to Create a Lock?

Step 1 – Open the Locks Blade under the resource you want to create the Lock.  In this case, a Test VM for Backups in my Lab

Lock-Blade

Step 2 – Create a New Lock and specify the Name, Lock Type, and Description

New-Lock

Step 3 – Apply the Lock and Test.  I attempted to add an additional Virtual Disk to the VM

Update-Failed

It is as simple as that.  I would recommend that you incorporate locks the same way you utilize permissions.  Try to implement them as far up the chain as possible to ensure ease of management.  I would also recommend automating a scan (using PowerShell or Management Tools) of your Azure environment for unlocked resources to your health and maintenance activities.

In addition to Locks, you need to also consider recovery in the event of accidental deletion or a mistake.  Here are two simple ways to ensure you can recover.

Take Backups – Every Azure Environment should be backed up and protected for at least one full backup copy to an Azure Storage Vault.  In the event of accidental deletion, you can at least recover to your most recent full backup.  You can implement more granular backup policies to enhance your ability to recover.  Azure Backup is easy to setup and can be backing up in minutes.

Backup and Export Configurations – Some resources, like Network Configurations, NSGs, Virtual Networks, etc. cannot be backed up using Azure Backup.  To be able to recover quickly from mistakes, I recommend you apply common network management best practices and export a backup of all configurations prior to making changes to production systems.  This can be accomplished by simply opening the “Automation Script” Blade for the resource and using the “Download” link to download the configuration in the format of your choice.  This configuration can then be used to “reset” it back to it’s original settings if rollback is required.  I would recommend a routine export of your configurations as part of your health and maintenance activities.

Export-Configuration-768x343

To learn more about Locks and other ways to implement and automate them, check out the official Microsoft Documentation

Jason Webster

Director of Cloud and Managed Services at eGroup
I am a strategic leader that is currently focused on helping organizations achieve their productivity goals with Cloud, Software and Managed Solutions. The role of Technology is to make people and processes more productive. My goal is to help organizations make decisions that are right for their business to make them more productive with their goals.