Monday, September 11, 2017

Azure Backup and Resource Group Locks

One important feature from a security perspective is the concept of Resource Group Locks.  I generally recommend that locks be placed at the resource group level for all production resources.  While you can place locks at the resource level, it can aid in manageability if the locks are placed at the resource group level.

It turns out that locking at the resource group level affects the way Azure backup functions with the VMs in that resource group, and, in some cases, can cause the backup to fail.

When you execute a backup, here is what the shows up in the activity log for the target resource group (where the VM lives)

As you can see, there is a delete operation that occurs at the end of the backup process.  If you have a resource group lock enabled, you'll see the following error message:

From my experience, this does not prevent the backup from showing up in the vault, but does prevent the backup job from completing successfully.  According to Azure support, this situation could prevent the VM from backing up altogether.

The solution going forward is to not use resource locks at the group level, but rather manage them via arm templates on the resource level itself.