KubeQuest

Appearance

Part 4: Locks & ARM Resource Structure

Source: John Savill's Azure Master Class v3 - Part 3: Governance
Video Timestamps: 45:00 - 53:10
AZ-104 Relevance: ⭐⭐⭐ Locks are tested; ARM structure helps understand Policy and RBAC

Resource Locks (Deep Dive)

Purpose

Protect against accidental deletions or modifications at the control plane.

Lock Types

Lock TypeModify Resource?Delete Resource?Delete Data Inside?
CannotDelete✅ Yes❌ No✅ Yes
ReadOnly❌ No❌ No✅ Yes

Control Plane vs Data Plane

Example: A locked storage account:

  • ❌ Cannot delete the storage account
  • ❌ Cannot change storage account properties (if ReadOnly)
  • ✅ CAN still delete blobs inside it

Where to Apply Locks

ScopeEffect
SubscriptionAll RGs and resources locked
Resource GroupAll resources in RG locked
ResourceOnly that resource locked

Locks inherit down (Sub → RG → Resource).

Who Can Remove Locks?

Only Owner at the scope where the lock was applied.

Auto-Created Locks

Some services create locks automatically:

  • Azure Backup creates CannotDelete locks on protected VMs
  • Azure Site Recovery creates locks on replicated resources

Portal: Managing Locks

  1. Navigate to Subscription, RG, or Resource
  2. SettingsLocks
  3. Add → Choose type → Save

ARM Resource Structure

Understanding how Azure resources are structured helps you write Policy and RBAC rules.

The Hierarchy

Resource Provider Examples

ProviderResources It Contains
Microsoft.ComputeVMs, Disks, Scale Sets, Availability Sets
Microsoft.StorageStorage Accounts, Blob Containers
Microsoft.NetworkVNets, NSGs, Public IPs, Load Balancers
Microsoft.SqlSQL Servers, Databases
Microsoft.WebApp Services, Function Apps

Resource Type Format 

{provider}/{resourceType}

Examples:

  • Microsoft.Compute/virtualMachines
  • Microsoft.Storage/storageAccounts
  • Microsoft.Network/virtualNetworks

Viewing Resource JSON

Every resource has underlying JSON. In Portal:

  1. Open any resource
  2. Click JSON View (top right corner)
json
{
  "type": "Microsoft.Storage/storageAccounts",
  "apiVersion": "2023-01-01",
  "name": "mystorageaccount",
  "location": "eastus",
  "properties": {
    "minimumTlsVersion": "TLS1_2",
    "allowBlobPublicAccess": false
  }
}

Why This Matters

Use CaseHow ARM Structure Helps
Azure PolicyPolicies target specific type and properties
Custom RBACActions are defined per resource type
TemplatesBicep/ARM use this exact structure

Querying Available Actions

bash
# List all actions for VMs
az provider operation show --namespace Microsoft.Compute \
  --resource-type virtualMachines --query "[].name"

Output includes: start, powerOff, restart, deallocate, etc.

Azure Resource Explorer

resources.azure.com - Browse the raw ARM API:

  • See all resource providers
  • Explore resource types
  • View properties and actions

⚠️ Be careful - queries here count against ARM throttling limits (12,000 reads/hour).

Mental Model

Locks = Child Safety Lock on Cabinet 🔒

  • Prevents accidental opening (control plane)
  • Doesn't stop you reaching inside if already open (data plane)

ARM Structure = Lego Instructions 🧱

  • Provider = Lego theme (City, Technic, Star Wars)
  • Resource Type = Specific set within theme
  • Properties = How pieces connect
  • Actions = What the built model can do

AZ-104 Exam Tips

TopicKey Point
Lock typesCannotDelete (modify OK) vs ReadOnly (nothing)
Lock scopeControl plane only, NOT data plane
Lock inheritanceFlows down from Sub → RG → Resource
Lock removalOnly Owner at applied scope
Resource type formatMicrosoft.Provider/resourceType

Practical Exercises

Exercise 1: View Resource JSON (3 min)

  1. Open any resource in Portal
  2. Click JSON View (top right)
  3. Note the type and properties fields

Exercise 2: Apply and Test a Lock (5 min)

  1. Create a test storage account
  2. Add CannotDelete lock
  3. Try to delete it - observe the error
  4. Try to change a setting - it should work
  5. Clean up: remove lock, delete resource

Exercise 3: Explore Resource Explorer (5 min)

  1. Go to resources.azure.com
  2. Navigate: Subscriptions → [your sub] → providers
  3. Expand Microsoft.Compute
  4. See the resource types available

End of Part 4

Released under the MIT License.

Copyright © 2026 OpsAlchemy