Safeguard critical Azure resources with Resource Locks
One of Public Cloud’s greatest assets is the ability to create and destroy resources at the drop of a hat. This modern approach to infrastructure has led to many advancements for businesses of all sizes, from near limitless horizontal scaling without the need for data centre commitment, to Automated Development Pipelines that can reduce Development and UAT (User Acceptance Testing) costs by removing the need for static infrastructure. The downside is that, as quickly as you can create your infrastructure and automation you can also destroy it by making slip ups like deleting the wrong resource or worse still Resource Group. This kind of mistake could mean anything from a short outage to a complete loss of business critical data.
Whether you’re new to Microsoft Azure or have been using it for a long time, you should be considering the use of Resource Locks. Resource locks give you peace of mind that your critical resources can’t be accidentally deleted. The feature is readily available in the Azure Portal and is easy to set up. Resource Locks can be configured as either CanNotDelete or ReadOnly depending on your use case. CanNotDelete simply prevents you from deleting a resource without first removing the lock. ReadOnly not only prevents deletion but also configuration changes which can be especially useful for systems that depend on static configurations.So what should you be applying Resource Locks to?
- Virtual Machines (VMs) and Databases: Often the workhorses of your infrastructure, applying locks to virtual machines and databases prevents accidental deletion or modification, ensuring that essential services remain operational.
- Storage Accounts: Locking storage accounts containing vital data or backup files gives you peace of mind that your data is safe and available.
- Resource Groups: Locking entire resource groups helps safeguard all associated resources from accidental modifications or deletions, providing a blanket layer of protection.
- Networking Resources: Resources such as Virtual Networks, Network Security Groups, and Load Balancers can be locked to prevent unauthorised changes that could disrupt connectivity or security. This is especially useful for complex network implementations that would take time and effort to recreate.
- App Services: Locking Azure App Services that host production applications can help ensure they remain unchanged, minimising the risk of downtime or service disruption.
- Key Vaults: Protecting Azure Key Vaults with locks helps prevent loss of critical sensitive secrets.
- Azure Functions: Locking serverless functions can protect critical business logic from accidental updates or deletions, ensuring the continuity of services.
Other benefits
An often overlooked benefit of implementing Resource Locks or similar restrictions into your infrastructure, is that it promotes compliance and governance within an organisation. To put it simply If you haven’t got around to properly implementing RBAC (Role Based Access Control) or Least Privilege access, this could be a good nudge to get you started. Many industries require strict data management protocols and these are only becoming more common. Taking a proactive stance may help to avoid potential fines or penalties down the line.
Another area of consideration that is rarely mentioned is that Public Cloud can be intimidating to those who are not familiar with it. Moving from On-premise or managed hosting where you cannot simply delete a critical resource to public Cloud where you can, can be uncomfortable. Informing a new team member that Resource Locks secure key resources so they can’t be changed, gives them peace of mind that they can’t easily make a mistake that could bring everything crashing down around them. This may sound like a stretch, but hesitancy to run a simple Terraform configuration due to fear that it will delete an unintended resource is all too common. While a lot could be said about competency and due diligence here, it is surely better to just remove the potential for these kinds of mistakes entirely.
In conclusion
Resource Locks are quick and easy to implement and, while they may cause the occasional inconvenience when you actually want to remove a resource, come with very few downsides. For this reason we would encourage everyone to at least look into which resources would be good candidates for them to protect.
Why not take accidental deletion and data protection further though? Pipe Ten offers a comprehensive DR/BCP service, providing not just Cloud Service protection but also Multi-Cloud and Hybrid Cloud Disaster Recovery and Business Continuity Planning. Get in touch today.
Author: Jack Jones
Jack has been an integral part of Pipe Ten’s engineering team for over 5 years. With a long history of being immersed in Microsoft’s ecosystem, Jack embodies Pipe Ten’s provider agnostic approach and has lead the evolution of many customer solutions to integrate the benefits of public cloud, specialising in Azure and AWS. The wealth and sheer depth of Jack’s cutting edge technical knowledge and skillset has been crucial to the success and growth of many customers’ businesses.
Tags: Applications, Cloud, Public Cloud, Security