AZ-900 Episode 29 | Azure Resource Locks
ฝัง
- เผยแพร่เมื่อ 31 ก.ค. 2024
- Resource Locks protect our Azure resources from accidental deletions or modifications. In this episode we will find out how!
Skills Learned
- Describe the functionality and usage of resource locks
🌐 Site: marczak.io/az-900/#ep29
Episode Resources
- 📚 Study cheat sheet marczak.io/az-900/episode-29/...
- 🧠 Practice Test marczak.io/az-900/episode-29/...
Study Guide
- Microsoft Learn: Resource Locks docs.microsoft.com/en-us/learn...
- Azure Documentation: Resource Locks docs.microsoft.com/en-us/azur...
Agenda
00:00 Episode introduction
00:22 What are Resource Locks?
03:19 Demo
06:19 Resource Locks Summary
Want to connect?
- Blog marczak.io/
- Twitter / marczakio
- Facebook / marczakio
- LinkedIn / adam-marczak
- Site azure4everyone.com - วิทยาศาสตร์และเทคโนโลยี
Passed my exams today thanks to your videos. So grateful. Was blessed to have your teaching for free on youtube, best teaching on the internet, your the real MVP, thanks a million🎉🎉🎉🎉🎉
Phenomenal! Your Azure content is absolutely astonishing. Microsoft need to send you a million dollars.
I'm waiting for that million :D Thanks for the kind words!
Absolutely 💯!!!!!!
One more beneficial video lesson towards my quest to pass AZ-900. Thanks Adam, for supporting our efforts so generously!
You got this!
This whole series of AZ-900 is so helpful. I love how you pick up each topic from basics! I was completely new to the world of cloud computing. But you made it so easy and interesting at the same time. Thank you so much :) :)
Glad you like them! Thanks!
What I love the most about your videos are the diagrams! They sure help a lot :) I am almost done with you playlist and I sure did learn a lot
Glad you like them!
first of all, it was a great video again and I like all your videos :)
what I found interesting in resource lock is when you assign a "Delete" resource lock to RG and if you create a new RG without any lock, you can move the resource from Locked RG to No Lock RG and delete the resource.
You have to make sure you give proper permissions to other users so that they cant move the resource to other RG's otherwise purpose of resource lock would fail :)
Hehe, sneaky! But yea, totally agree. Only owner can remove lock, but contributor can move resources. Need to stay vigilant with access management.
Timely video and a very important one. Thank you for this.
Just one drawback I can think of Azure resource locks is that they only protect against operations aimed at ARM APIs for some Azure resources. It does not protect against programmatic deletions. For ex - even if you apply a resource lock against deleting an Azure Service bus Queue, it will prevent it from deleting in the portal. But it won't protect against deletions initiated say by a ASB .net client or ASB Explorer.
Azure resource locks are very important but they are one among the various measures that that needs to be enforced(Granular control, audit logs, diagnostic settings, etc)
Azure evolves all the time, hopefully in the future all missing pieces will be there. It's the same with Azure Policies which doesn't cover all APIs either :(
another fantastic explanation and demo
This series is awesome!
what an amazing content. So easy to follow and use
Thank you for this video!!
Great video, thank you.
Hi Adam,
Thanks for such wonderful course content
I have scored 850 AZ 900 today
how is the exam? i am planning to write it soon and I am scared
@@ianchenjerai-wj3zu Did you end up writing the exams? I'm scared too!!!
Adam gibi adam!
Amazing Explaination !
Love it!
😍 thanks for the great video
Top work
That was totally informative. Big like and subscribe.
Awesome, thank you!
Excellent
Hi Adam, thanks for awesome content! I do not know what was possible when you recorded this material, but currently it’s possible to un-delete a storage account within 7 days. I’ve been there :)
Hey Adam, you do an awesome job with those videos, that is really helpful thank you so much.
Az900 Certification question: Can you add two DELETE locks on a same resource / resource group?
I thought that was a tricky one...
Thanks :) You can have as many locks as you like on the same resource/rg. :)
What would be the best practice given many resources require deletion locks be lifted in order to perform updates (such as AKS clusters) or to make changes to the resources? My team finds it very difficult to manage resource-group level locks while also making changes to the environment as we need to constantly take the locks off. It seems taking the locks off is a security risk as in that window of time, the resources can be deleted, which defeats the purpose of the locks.
A great question Steven. In general, tools are to assist you, not the other way around :) unless a specific scenario is presented, it's hard to propose the 'best' solution.
For example, referring to the points you made.
1. AKS creates a separate resource group for node management so it can easily create and destroy worker nodes at will. As such, it's not affected by a lock on the resource group where the service resides.
2. Delete locks do not forbid from making changes. So your team should not be affected. But in general resource locks are more for production use because deleted services can be recreated easily. But lost data is a business continuity issue, so resource locks help with that.
3. Dev team shouldn't make constant changes in production.
4. Lastly, locks are just complementary to RBAC roles. So maybe custom roles with custom permissions and no delete action would better fit your scenario.
Hopefully agree with me here, it really does depend on the scenario. When it comes to 'best' practices you will find as many opinions as there are people out there. But if you ask me, what would I do? Then I use RBAC to provide fine-grained permissions and restrict access as if there were no locks anyway. Then I provide only access to my dev team to dev environment. Only allow the operations team to perform prod deployment and always ONLY using scripts that were tested in QA/UAT before prod. Never by hand. Often via Azure DevOps (in this case even ops team can't change resources). Lastly, I add resource locks (delete) to all services that contain data and have no external backups, especially storage account. Everything else can be easily recreated as I keep my code and infrastructure in Git/GitHub/DevOps.
@@AdamMarczakYT Thanks for this thoughtful reply. I agree with many of your points. My organization is having a meeting around this soon and your perspective is appreciated.
Thank you for your videos. They are very helpful in understanding Azure. However more content can be added in this lesson like "Can a delete lock be applied on top of a read only lock", " Can multiple read only or delete locks can be applied"?
There always can be more content. But this is just introduction, not an in-depth admin course. This is why the docs exist :) thanks for watching.
Will you be making a video about the az-900 changes in November? I am enjoying your videos so far.
Agenda from episode 28-th already follows updates. I will later release content catch up videos for the topics that were added before ep-28.
@@AdamMarczakYT Plz provide update adam asap.Thanx for the awesome content.
Hey Adam,
Thank you for this great video. I want to ask a question. Which program do you prepare the slides with? It has very stylish things like animations, transitions, handwriting.
That's just PowerPoint and hand drawn animations using surface pen. Thanks for the kind words ;)
@@AdamMarczakYT Hand drawn? Wow! this is just Pure talent. Adam, u da man... And love all your video's. TY I am a subscriber
888 like its me.... nice class...THX....
If I have a resource lock on one resource and if I delete its resource group then what will happen?
1. delete the resource group along with all resources?
2. delete the other resources which are not having lock?
3. will not delete any resource as at least one resource is having lock?
Part of learning Azure is also playing around with it. Try this yourself if you have Azure account :)
@@AdamMarczakYT Thanks Adam. I tried it and found that if any of the resource is having Delete Lock in a Resource Group then we cannot delete that Resource Group even other resources are not having any lock in that resource group.
Lock will be applicable to resouce level only or it will reflect the inner functions of resouce ? like delete lock shouldnt prevent delete /udpate sql in sql server. pls clarify
It applies to all actions that go through resource manager. Which is quite tricky unfortunately because some actions do and some don't, it's just legacy thing. But in general it applies to properties of the resource not inner parts. For example Blob Containers are considered resource properties (configuration) and are affected. But blob files are not.
Thank you so much for your knowledge and ¡¡¡ teaching skill !!!. Unfortunately from Argentina the subtitles of this episode can only be seen in "Dutch". ;)
I have repeated the steps over and over but am not getting that message. I receive "Are you sure want to delete....." is there an update?
Can we move locked resource to another resource group?
Yes
Can you *Move* an application into a Read Only Resource Group?
What do you mean by 'move application' ?
how many videos of yours should i watch to give an AZ-900 Exam ??
All ;)
How about az-140? Pleaseeeee
In this episode, you did not blink your eye on "stay tuned"😅
You have 14 days to recover deleted storage account by creating helpdesk ticket with Microsoft, just FYI
True. Although not all scenarios are supported (as described in the link). I'd say it's better to assume it's gone and treat this as exception rather than a 'plan B' :). Also 14 days are not guarantees, entire recovery thing is most likely not guaranteed. But it's an excellent point.
docs.microsoft.com/en-us/troubleshoot/azure/general/data-restore-storage?WT.mc_id=AZ-MVP-5003556
I think it may take less time sometimes based upon the priority and weightage Microsoft helpdesk may respond. I heard it, is it not true Adam Marckzac...
You didn't wink this time while saying " so stay tuned "😭.
My disappointment is immeasurable and my day is ruined.
🤣
you didn't blink this time.
Is it required? :)
wink* nah...
For some reason, the subtitles are in dutch. Great video though.