Managing Lock Inheritance
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
Lesson: Managing Lock Inheritance in Azure
Introduction: The Critical Role of Resource Locks
In the sprawling ecosystem of cloud infrastructure, accidental deletion or modification of resources is a common source of downtime and configuration drift. Whether it is a junior administrator mistakenly deleting a production database or an automated script wiping out a virtual network, the consequences can be expensive and time-consuming to rectify. Azure Resource Locks provide a simple yet powerful mechanism to prevent these accidental changes by placing a protective barrier around your resources.
However, simply applying a lock to a single resource is rarely enough in a complex environment. Azure resources are organized hierarchically: Subscriptions contain Resource Groups, which in turn contain individual resources. Understanding how locks behave when applied at different levels of this hierarchy—specifically, how they propagate downward—is the core of managing resource locks effectively. This concept is known as "Lock Inheritance."
Managing lock inheritance is not just about protection; it is about maintaining a balance between safety and operational agility. If you lock everything at the subscription level, you may find yourself unable to perform necessary maintenance or updates. If you lock nothing, you risk catastrophic data loss. This lesson will guide you through the mechanics of inheritance, the different types of locks available, and how to design a governance strategy that keeps your environment safe without hindering your team’s productivity.
Understanding the Azure Resource Hierarchy and Locks
To understand inheritance, we must first visualize the Azure resource hierarchy. At the top, you have the Management Group (optional), followed by the Subscription, the Resource Group, and finally, the individual Resource (such as a Virtual Machine, Storage Account, or SQL Database).
When you apply a lock at a higher level, such as the Subscription or Resource Group, that lock is automatically applied to all child resources within that scope. This is the essence of inheritance. If you place a "ReadOnly" lock on a Resource Group, every single resource contained within that group—and any resource you add to that group in the future—will inherit that lock.
The Two Types of Resource Locks
Before diving deeper into inheritance, it is important to distinguish between the two types of locks supported by Azure. These locks determine the level of restriction applied to the resources:
- ReadOnly: This lock prevents any changes to the resource. It allows authorized users to read the resource but prevents them from deleting or updating it. For example, if you place a ReadOnly lock on a storage account, you can list the containers and blobs, but you cannot upload new files or change the access policies of the container.
- CanNotDelete: This lock allows authorized users to read and modify the resource, but it prevents them from deleting it. This is often the preferred choice for production databases or critical network components where you want to allow configuration changes but want to ensure the resource itself is not accidentally removed.
Callout: ReadOnly vs. CanNotDelete It is a common misconception that ReadOnly is "safer" than CanNotDelete. While ReadOnly is more restrictive, it often breaks standard operations. Many Azure resources require the ability to "write" metadata or update status information during normal operation. A ReadOnly lock can cause unexpected failures in services that rely on background updates. Always prefer CanNotDelete for operational resources, reserving ReadOnly for static infrastructure that truly should never change.
The Mechanics of Lock Inheritance
Inheritance in Azure is absolute. When you apply a lock to a parent, the child resources do not have a choice in the matter; they inherit the lock attributes immediately. This behavior is designed to ensure that governance policies are enforced consistently across the environment.
How Inheritance Propagates
Consider a scenario where you have a "Production" Resource Group. Inside this group, you have a virtual machine, a managed disk, and a virtual network. If you apply a CanNotDelete lock to the "Production" Resource Group, you have effectively protected all three of those resources. If you later add a new SQL Database to that same Resource Group, it will automatically inherit the CanNotDelete lock the moment it is created.
This behavior is highly effective for enforcing "guardrails." By locking the Resource Group, you create a zone where no one can accidentally delete the entire infrastructure. However, this also means that if you need to delete a single resource within that group, you must first remove the lock from the parent Resource Group or explicitly override the behavior if the platform allows (which, in the case of locks, it generally does not—you must remove the lock at the level it was applied).
Why Inheritance Matters for Governance
In large enterprises, resource management is often delegated to different teams. You might have a central IT team managing the subscription and specific development teams managing their own Resource Groups. By applying a lock at the subscription level, the central IT team can ensure that no one—regardless of their permissions—can delete core infrastructure components.
Inheritance provides a "set it and forget it" approach to security. Once the hierarchy is locked, you do not need to worry about manually locking every new resource that is provisioned. As long as the resource is placed within the locked scope, the protection is guaranteed.
Practical Examples: Applying Locks at Different Scopes
Let’s look at how to interact with locks using the Azure CLI. These examples will illustrate how inheritance works in practice.
Example 1: Applying a Lock at the Resource Group Level
Suppose you have a resource group named RG-Finance-Prod. You want to ensure that no one deletes this group or any resources inside it.
# Apply a CanNotDelete lock to the Resource Group
az lock create --name "ProtectFinanceRG" \
--lock-type CanNotDelete \
--resource-group "RG-Finance-Prod"
Once this command is executed, any attempt to delete a virtual machine or storage account inside RG-Finance-Prod will fail with an "Authorization Failed" error, even for users with Owner or Contributor roles.
Example 2: Verifying Inherited Locks
You can check which locks are currently affecting a specific resource by listing the locks at that resource's scope. Note that the output will show locks applied directly to the resource as well as those inherited from parent scopes.
# List all locks affecting a specific storage account
az lock list --resource-group "RG-Finance-Prod" \
--resource-name "financeblobs001" \
--resource-type "Microsoft.Storage/storageAccounts" \
--output table
Note: When you list locks on a child resource, Azure will display the locks inherited from the parent. This is critical for troubleshooting "Access Denied" errors. If a user cannot delete a resource, they should always check the parent resource group and subscription for inherited locks.
Managing Inheritance: Best Practices and Pitfalls
While inheritance is a powerful tool, it requires careful planning. If you apply locks indiscriminately, you will create significant friction for your operations teams.
1. Avoid "Over-Locking"
A common mistake is applying a ReadOnly lock at the subscription level. This effectively freezes the entire subscription. While this sounds secure, it prevents the deployment of new resources, the updating of existing configurations, and even the creation of diagnostic logs. Use CanNotDelete as your default policy, and reserve ReadOnly for specific, static resources.
2. Use Tags to Identify Locked Resources
Since locks are invisible in many parts of the Azure portal, it is a best practice to use Azure Tags to identify resources or groups that have locks applied. For example, a tag like LockStatus: Protected can help administrators quickly identify why a resource cannot be deleted without needing to check the locks blade for every single item.
3. Communicate with the Team
Locks are a "hard" stop. If a developer attempts to run a Terraform plan or an ARM template deployment that involves deleting a resource, the process will fail. Ensure that your CI/CD pipelines are aware of the locks. In many cases, you may need to include steps in your automation to remove the lock, perform the operation, and then re-apply the lock—though this should be done with extreme caution.
4. The "Owner" Role Bypass
It is important to remember that having the "Owner" or "User Access Administrator" role allows a user to remove locks. Locks are meant to prevent accidental actions, not to provide a security boundary against malicious insiders with high-level permissions. Do not rely on locks as a substitute for proper Role-Based Access Control (RBAC).
Warning: Do not assume that a lock provides absolute security. An administrator with the authority to manage locks can simply delete the lock and then delete the resource. Always combine Resource Locks with RBAC to ensure that only the correct people have the authority to manage the locks themselves.
Comparison Table: Lock Strategies
| Strategy | Scope | Lock Type | Best For |
|---|---|---|---|
| Strict Governance | Subscription | CanNotDelete | Preventing accidental deletion of entire environments. |
| Operational Guardrails | Resource Group | CanNotDelete | Protecting production apps while allowing updates. |
| Static Data Protection | Individual Resource | ReadOnly | Archival storage or static configuration files. |
| Dev/Test Flexibility | None | N/A | Allowing rapid teardown and rebuild of dev environments. |
Step-by-Step: Implementing a Lock Strategy
If you are tasked with implementing a lock strategy for your organization, follow this systematic approach to minimize disruption.
Step 1: Audit Existing Resources
Before applying locks, identify which resources are truly critical. Run a script or use the Azure Resource Graph to list all resources and categorize them by environment (Prod, Dev, Staging).
Step 2: Define the Scope
Decide where the locks should live. For production environments, applying a CanNotDelete lock at the Resource Group level is usually the "sweet spot." It protects the group while allowing the resources within to function normally.
Step 3: Apply Locks via Infrastructure as Code (IaC)
Do not apply locks manually in the portal. If your infrastructure is managed via Terraform or Bicep, include the lock definition in your template. This ensures that the lock is applied at the same time the resource is created, leaving no window of vulnerability.
Example: Bicep for a Resource Lock
resource lockResource 'Microsoft.Authorization/locks@2016-09-01' = {
name: 'PreventDeletion'
properties: {
level: 'CanNotDelete'
notes: 'Protected by organizational policy.'
}
}
Step 4: Test the "Break-Glass" Procedure
Document how to remove the lock in an emergency. If a production database is failing and needs to be replaced, the team needs to know exactly who has the permissions to remove the lock and the steps to re-apply it afterward.
Common Pitfalls and How to Avoid Them
Pitfall 1: Breaking Automated Deployments
Automation scripts often include a "delete and recreate" step. If you lock the resource, the script will crash.
- Solution: Update your automation to check for the existence of a lock before proceeding. If a lock exists, the script should either skip the deletion or include a step to remove the lock temporarily.
Pitfall 2: Forgetting About Diagnostic Settings
Many Azure services create logs and metrics. A ReadOnly lock can sometimes prevent these services from writing their telemetry data, leading to gaps in your monitoring.
- Solution: Always test your application performance after applying a
ReadOnlylock. If monitoring stops, you know the lock is too restrictive.
Pitfall 3: Inheritance "Shadowing"
If you have a lock on a Subscription and a different lock on a Resource Group, it can become confusing which lock is preventing an action.
- Solution: Maintain a simple, flat hierarchy for locks. Try to apply locks at the Resource Group level consistently, rather than mixing Subscription-level and Resource-level locks.
Advanced Considerations: Managed Identities and Locks
When working with Managed Identities, locks can occasionally introduce complexities. If a Managed Identity is assigned to a virtual machine, and you lock the resource group containing both the VM and the identity, certain management operations might be restricted.
Always remember that locks are enforced by the Azure Resource Manager (ARM). Any operation that flows through the ARM API will be evaluated against the lock. This includes CLI commands, PowerShell, the Azure Portal, and REST API calls. If you are using a tool that interacts directly with the underlying compute or storage layer (bypassing the ARM API), the lock might not apply, though this is rare in standard Azure usage.
The Human Element: Permissions and Locks
It is vital to distinguish between "who can delete" and "who can manage locks." By default, the Owner and User Access Administrator roles have the permission Microsoft.Authorization/locks/*. This allows them to create, update, and delete locks.
If you have a team of developers who are Contributors, they can manage resources but they cannot remove the locks you have placed on those resources. This is a very powerful configuration. It allows developers to work freely within the resource group, but they are physically unable to delete the resources because they lack the permissions to remove the CanNotDelete lock. This is the ideal balance of power and safety.
Summary Checklist for Success
To ensure your implementation of resource locks is robust and effective, keep this checklist handy:
- Categorize your resources: Separate production from non-production.
- Apply
CanNotDeletewidely: Use it for all production resource groups. - Use
ReadOnlysparingly: Only for static or archival infrastructure. - Use IaC: Define locks in your templates to ensure consistency.
- Audit regularly: Use Azure Resource Graph to find resources without locks.
- Review permissions: Ensure only the necessary personnel can manage locks.
- Document the emergency process: Know how to remove locks when a real incident requires it.
Key Takeaways
- Inheritance is Automatic: When you apply a lock to a parent scope (Subscription or Resource Group), all child resources inherit that lock immediately. There is no way to opt-out of an inherited lock at the child level.
- Choose the Right Lock Type:
CanNotDeleteis the standard for operational protection, whileReadOnlyis for static resources. AvoidReadOnlyon active resources that require status updates or metadata writes. - Locks are Not Security: Locks prevent accidental actions, not malicious ones. They do not replace the need for strong RBAC (Role-Based Access Control) and should be used in conjunction with it.
- Automation Awareness: Ensure your CI/CD pipelines are configured to handle locks. If your automation relies on deleting and recreating resources, it must be programmed to handle lock removal and re-application.
- Governance via Hierarchy: Use the hierarchy to your advantage. By locking at the Resource Group level, you create a standard protective boundary that applies to all current and future resources within that group.
- Visibility Matters: Use tags to keep track of locked resources. Because locks are not always obvious in the portal, descriptive tags help teams understand why they might be restricted from performing certain actions.
- Test Before Enforcing: Always test the impact of a lock in a non-production environment before rolling it out to production, especially when using
ReadOnlylocks, to ensure you do not break background processes or monitoring.
By mastering lock inheritance, you transition from simply "using" the cloud to "governing" it. You provide your organization with the safety net required to innovate quickly without the constant fear of accidental infrastructure destruction. Remember that the best governance is invisible until it is needed—and with resource locks, you have the ultimate safety mechanism for your Azure environment.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons