I want to protect my Azure private DNS against accidental deletion. At first a placed resource locks on the DNS zone. But this prevented me from deleting individual virtual network links (microsoft.network/privatednszones/virtualnetworklinks) as these are child resources, and thus also locked. I want to still be able to delete these without removing the lock first. I only want to protect the whole Zone from being deleted.
Is it possible to place locks that wont be inherited to child resources?
To protects azure private DNS against accidental deletion. Applying a CanNotDelete lock to whole zone can prevent from being deleted. CanNotDelete denotes that a resource is accessible to view and edit but cannot be deleted by other users According to my knowledge resource locks on the DNS zone Locks are inherited by child resources only
The Basic structure of resource locks states that a lock applies to child resources as well, thus if you place a lock on your resource group, all of its resources both existing and newly added will be protected.
When you apply a lock at parent scope, all resources inside of the scope inherit the same lock. Even resources you add later will have the same parent lock
Additionally, you can make use of a custom role to enable full control over a DNS resource, preventing the user account from deleting zones or modifying records of other types.
Reference:
protecting-against-zone-deletion
Easiest-way-to-prevent-accidental-resource-deletion
Related
I am creating an Azure policy to enforce some naming conventions. I want to enforce this policy only for any new resources being created. I am planning to use Deny as an Effect.
Will the Deny effect block the existing resources being re-provisioned?
Is there any way to implement this without impacting the re-provisioning of old resources? As per the document here, it says updating will be prohibited.
As mentioned in the link that you provided the policy is applied "When creating or updating a matched resource".
However, you can enforce a policy per resource group.
So, if you have the possiblity to have all the existing resources in one resource group and all the new resources in a second resource group. Then you can get around it by applying the policy only to the second resource group.
If Azure Databricks will be deleted by someone and which contains Notebooks as well. So, if we want to recover that databricks along with notebooks , is it possible?
If so please explain how we can achieve this type of condition.
If you are looking to prevent deletion, you can set Azure Resource locks. Specifically you can set the CanNotDelete lock. This lock means authorized users can still read and modify a resource, but they can't delete the resource.
Some Azure services, such as Azure Databricks, use managed applications to implement the service. In that case, the service creates two resource groups. One resource group contains an overview of the service and isn't locked. The other resource group contains the infrastructure for the service and is locked. You should lock the resource containing the service to prevent accidental deletion.
If you try to delete the infrastructure resource group, you get an error stating that the resource group is locked. If you try to delete the lock for the infrastructure resource group, you get an error stating that the lock can't be deleted because it's owned by a system application.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources
When I create an AKS cluster using Azure portal I can see that new resource groups are created. It seems that I have no control over how they are named, especially the one with with "MC_" prefix. I also don't see an option to change its name when using ARM template.
In addition, if I create a cluster in customer's subscription, where I only have access to 1 resource group, I don't even see the newly created RG and can't manage it.
Is there a way to force deployment of all AKS components into a single resource group?
No, there is no way to force it at this point in time. As for the access, you should request access to that RG. No real workarounds.
Secondary resource group name can be inferred, I think, its something like:
MC_original-resource-group-name_aks-resource-name_location
it also creates OMS resource group (if you enable OMS) and Network Watcher (this can be disabled, btw, but its a provider setting). you have no control over that as well.
there is a not implemented yet nodeResourceGroup property: https://learn.microsoft.com/en-us/rest/api/aks/managedclusters/createorupdate#examples
EDIT: this is actually working right now, so the nodeResourceGroup property can be used. But it would still be a new resource group, so you would still need to request access to that group and using this property is not possible with the portal (so ARM Templates\pulumi\terraform)
We often delete resource groups. I have one resource group that I would like to protect. Is there a way of “locking” it so that I would be required to unlock it before being allowed to delete it? Bonus points if it requires a password.
Egads. Yes there is. Sorry I didn’t see this earlier. Simply go the the Resource Group’s properties and click on Lock and add a new lock and set the type to Delete
You achieve this using following steps:
Open you resource group.
In the Settings blade for the resource, resource group, or subscription that you wish to lock, select Locks.
To add a lock, select Add. If you want to create a lock at a parent level, select the parent. The currently selected resource inherits the lock from the parent. For example, you could lock the resource group to apply a lock to all its resources.
Give the lock a name and lock level. Optionally, you can add notes that describe the lock.
For more details, refer : Lock resources to prevent unexpected changes
In the Azure Container Registry blade in the Azure portal, there is a "Lock" section on the left hand side and I can't find it anywhere in the ACR documentation.
What is it?
Its a general Azure (not specific to ACR) feature to prevent accidental deletion (or modification) of a resource. You can create a lock that would prevent users from deleting or modifying the resource while the lock is there (even if they have the permissions to delete\modify the resource).
https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-lock-resources