鎖定資源以防止非預期的變更Lock resources to prevent unexpected changes

如果您是系統管理員,您可以鎖定訂用帳戶、資源群組或資源,以防止組織中的其他使用者不小心刪除或修改重要資源。As an administrator, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources. 鎖定會覆寫使用者可能擁有的任何許可權。The lock overrides any permissions the user might have.

您可以將鎖定層級設定為 CanNotDeleteReadOnlyYou can set the lock level to CanNotDelete or ReadOnly. 在入口網站中,鎖定分別名為 [刪除] 和 [唯讀]。In the portal, the locks are called Delete and Read-only respectively.

  • CanNotDelete 表示經過授權的使用者仍然可以讀取和修改資源,但無法刪除資源。CanNotDelete means authorized users can still read and modify a resource, but they can't delete the resource.
  • ReadOnly 表示經過授權的使用者可以讀取資源,但無法刪除或更新資源。ReadOnly means authorized users can read a resource, but they can't delete or update the resource. 套用這個鎖定類似於限制所有經過授權使用者的權限是由「讀取者」角色所授與。Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.

不同於角色型存取控制,您可以使用管理鎖定來對所有使用者和角色套用限制。Unlike role-based access control, you use management locks to apply a restriction across all users and roles. 若要瞭解如何設定使用者和角色的許可權,請參閱 azure 角色型存取控制 (AZURE RBAC) To learn about setting permissions for users and roles, see Azure role-based access control (Azure RBAC).

鎖定繼承Lock inheritance

當您在父範圍套用鎖定時,該範圍內的所有資源都會都繼承相同的鎖定。When you apply a lock at a parent scope, all resources within that scope inherit the same lock. 甚至您稍後新增的資源都會繼承父項的鎖定。Even resources you add later inherit the lock from the parent. 繼承中限制最嚴格的鎖定優先順序最高。The most restrictive lock in the inheritance takes precedence.

瞭解鎖定的範圍Understand scope of locks

注意

請務必瞭解,鎖定並不適用于所有類型的作業。It's important to understand that locks don't apply to all types of operations. Azure 作業可分成兩個類別-控制平面和資料平面。Azure operations can be divided into two categories - control plane and data plane. 鎖定只適用于控制平面作業Locks only apply to control plane operations.

控制平面作業是指傳送至的作業 https://management.azure.comControl plane operations are operations sent to https://management.azure.com. 資料平面作業會將作業傳送至您的服務實例,例如 https://myaccount.blob.core.windows.net/Data plane operations are operations sent to your instance of a service, such as https://myaccount.blob.core.windows.net/. 如需詳細資訊,請參閱 Azure 控制平面和資料平面For more information, see Azure control plane and data plane.

這種差異表示鎖定會防止資源的變更,但不會限制資源執行自己函式的方式。This distinction means locks prevent changes to a resource, but they don't restrict how resources perform their own functions. 例如,SQL Database 邏輯伺服器上的 ReadOnly 鎖定可防止您刪除或修改伺服器。For example, a ReadOnly lock on a SQL Database logical server prevents you from deleting or modifying the server. 它不會讓您無法在該伺服器上的資料庫中建立、更新或刪除資料。It doesn't prevent you from creating, updating, or deleting data in the databases on that server. 允許資料交易,因為那些作業並不會傳送到 https://management.azure.comData transactions are permitted because those operations aren't sent to https://management.azure.com.

下一節將說明更多控制項和資料平面作業之間差異的範例。More examples of the differences between control and data plane operations are described in the next section.

套用鎖定前的考量Considerations before applying locks

套用鎖可能導致意外的結果,因為某些看來不會修改資源的作業實際上需要執行被鎖定阻止的動作。Applying locks can lead to unexpected results because some operations that don't seem to modify the resource actually require actions that are blocked by the lock. 鎖定會防止任何需要對 Azure Resource Manager API 進行 POST 要求的作業。Locks will prevent any operations that require a POST request to the Azure Resource Manager API. 鎖定阻止的動作常見範例像是:Some common examples of the operations that are blocked by locks are:

  • 儲存體帳戶 上的唯讀鎖定可防止使用者列出帳戶金鑰。A read-only lock on a storage account prevents users from listing the account keys. Azure 儲存體 清單金鑰 作業是透過 POST 要求進行處理,以保護帳戶金鑰的存取權,以提供儲存體帳戶中資料的完整存取權。The Azure Storage List Keys operation is handled through a POST request to protect access to the account keys, which provide complete access to data in the storage account. 針對儲存體帳戶設定唯讀鎖定時,沒有帳戶金鑰的使用者必須使用 Azure AD 認證來存取 blob 或佇列資料。When a read-only lock is configured for a storage account, users who don't have the account keys must use Azure AD credentials to access blob or queue data. 唯讀鎖定也會防止將範圍設定為儲存體帳戶的 Azure RBAC 角色或 (blob 容器或佇列) 的資料容器指派給該角色。A read-only lock also prevents the assignment of Azure RBAC roles that are scoped to the storage account or to a data container (blob container or queue).

  • 無法刪除 儲存體帳戶 的鎖定,無法防止該帳戶中的資料遭到刪除或修改。A cannot-delete lock on a storage account doesn't prevent data within that account from being deleted or modified. 這種類型的鎖定只會保護儲存體帳戶本身不會遭到刪除,而且不會保護該儲存體帳戶內的 blob、佇列、資料表或檔案資料。This type of lock only protects the storage account itself from being deleted, and doesn't protect blob, queue, table, or file data within that storage account.

  • 儲存體帳戶 的唯讀鎖定不會防止該帳戶中的資料遭到刪除或修改。A read-only lock on a storage account doesn't prevent data within that account from being deleted or modified. 這種類型的鎖定只會保護儲存體帳戶本身免于遭到刪除或修改,且不會保護該儲存體帳戶內的 blob、佇列、資料表或檔案資料。This type of lock only protects the storage account itself from being deleted or modified, and doesn't protect blob, queue, table, or file data within that storage account.

  • App Service 資源上的唯讀鎖定會防止 Visual Studio 伺服器總管顯示該資源的檔案,因為該互動需要寫入存取權。A read-only lock on an App Service resource prevents Visual Studio Server Explorer from displaying files for the resource because that interaction requires write access.

  • 包含 App Service 方案資源群組 的唯讀鎖定,可防止您 相應增加或相應放大方案A read-only lock on a resource group that contains an App Service plan prevents you from scaling up or out the plan.

  • 包含 虛擬機器資源群組 上的唯讀鎖定,會防止所有使用者啟動或重新開機虛擬機器。A read-only lock on a resource group that contains a virtual machine prevents all users from starting or restarting the virtual machine. 這些作業需要 POST 要求。These operations require a POST request.

  • 無法刪除 資源群組 上的鎖定,可防止 Azure Resource Manager 自動刪除 歷程記錄中的部署。A cannot-delete lock on a resource group prevents Azure Resource Manager from automatically deleting deployments in the history. 如果您在歷程記錄中到達800部署,您的部署將會失敗。If you reach 800 deployments in the history, your deployments will fail.

  • Azure 備份服務 所建立之 資源群組 上的無法刪除鎖定會導致備份失敗。A cannot-delete lock on the resource group created by Azure Backup Service causes backups to fail. 服務最多支援 18 個還原點。The service supports a maximum of 18 restore points. 當鎖定時,備份服務無法清除還原點。When locked, the backup service can't clean up restore points. 如需詳細資訊,請參閱常見問題 - 備份 Azure VMFor more information, see Frequently asked questions-Back up Azure VMs.

  • 無法在 資源群組 上刪除鎖定,可防止 Azure Machine Learning 自動調整 Azure Machine Learning 計算 叢集來移除未使用的節點。A cannot-delete lock on a resource group prevents Azure Machine Learning from autoscaling Azure Machine Learning compute clusters to remove unused nodes.

  • 訂用帳戶 上的唯讀鎖定會阻止 Azure Advisor 正常運作。A read-only lock on a subscription prevents Azure Advisor from working correctly. Advisor 無法儲存其查詢的結果。Advisor is unable to store the results of its queries.

誰可以建立或刪除鎖定Who can create or delete locks

若要建立或刪除管理鎖定,您必須擁有 Microsoft.Authorization/*Microsoft.Authorization/locks/* 動作的存取權。To create or delete management locks, you must have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* actions. 在內建角色中,只有 擁有者使用者存取管理員 被授與這些動作的存取權。Of the built-in roles, only Owner and User Access Administrator are granted those actions.

受控的應用程式和鎖定Managed Applications and locks

某些 Azure 服務 (例如 Azure Databricks) 使用受控的應用程式來實作服務。Some Azure services, such as Azure Databricks, use managed applications to implement the service. 在此情況下,服務將建立兩個資源組。In that case, the service creates two resource groups. 一個資源群組包含服務的概觀,而且不會被鎖定。One resource group contains an overview of the service and isn't locked. 另一個資源群組包含服務的基礎結構,並已鎖定。The other resource group contains the infrastructure for the service and is locked.

如果您嘗試刪除基礎結構資源群組,會收到一個錯誤訊息,指出資源組已鎖定。If you try to delete the infrastructure resource group, you get an error stating that the resource group is locked. 如果您嘗試刪除基礎結構資源群組的鎖定,就會收到錯誤,指出無法刪除鎖定,因為其是由系統應用程式所擁有。If you try to delete the lock for the infrastructure resource group, you get an error stating that the lock can't be deleted because it's owned by a system application.

請改為刪除服務,這也會刪除基礎結構資源群組。Instead, delete the service, which also deletes the infrastructure resource group.

針對受控應用程式,選取您所部署的服務。For managed applications, select the service you deployed.

選取服務

請注意,此服務包含 受控資源群組 的連結。Notice the service includes a link for a Managed Resource Group. 該資源群組會保留基礎結構並加以鎖定。That resource group holds the infrastructure and is locked. 無法將其直接刪除。It can't be directly deleted.

顯示受控群組

若要刪除服務的所有資料,包括鎖定的基礎結構資源群組,請選取服務的 [刪除]。To delete everything for the service, including the locked infrastructure resource group, select Delete for the service.

刪除服務

設定鎖定Configure locks

入口網站Portal

  1. 在您想要鎖定之資源、資源群組或訂用帳戶的 [設定] 刀鋒視窗中,選取 [鎖定] 。In the Settings blade for the resource, resource group, or subscription that you wish to lock, select Locks.

    選取 [鎖定]。

  2. 若要新增鎖定,請選取 [新增]。To add a lock, select Add. 如果您想要在父層級建立鎖定,請選取父系。If you want to create a lock at a parent level, select the parent. 目前選取的資源會從父系繼承鎖定。The currently selected resource inherits the lock from the parent. 例如,您可以鎖定資源群組以將鎖定套用到其所有資源。For example, you could lock the resource group to apply a lock to all its resources.

    加入鎖定。

  3. 提供鎖定的名稱和鎖定層級。Give the lock a name and lock level. 您可以視需要新增描述鎖定的附註。Optionally, you can add notes that describe the lock.

    設定鎖定。

  4. 若要刪除鎖定,請選取 [ 刪除 ] 按鈕。To delete the lock, select the Delete button.

    刪除鎖定。

ARM 範本ARM template

使用 Azure Resource Manager 範本 (ARM 範本) 部署鎖定時,您必須留意鎖定的範圍和部署的範圍。When using an Azure Resource Manager template (ARM template) to deploy a lock, you need to be aware of the scope of the lock and the scope of the deployment. 若要在部署範圍套用鎖定,例如鎖定資源群組或訂用帳戶,請不要設定 [範圍] 屬性。To apply a lock at the deployment scope, such as locking a resource group or subscription, don't set the scope property. 鎖定部署範圍內的資源時,請設定 [範圍] 屬性。When locking a resource within the deployment scope, set the scope property.

下列範本會將鎖定套用至它所部署的資源群組。The following template applies a lock to the resource group it's deployed to. 請注意,鎖定資源上沒有範圍屬性,因為鎖定的範圍符合部署的範圍。Notice there isn't a scope property on the lock resource because the scope of the lock matches the scope of deployment. 此範本會部署在資源群組層級。This template is deployed at the resource group level.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
  },
  "resources": [
    {
      "type": "Microsoft.Authorization/locks",
      "apiVersion": "2016-09-01",
      "name": "rgLock",
      "properties": {
        "level": "CanNotDelete",
        "notes": "Resource group should not be deleted."
      }
    }
  ]
}

若要建立資源群組並加以鎖定,請在訂用帳戶層級部署下列範本。To create a resource group and lock it, deploy the following template at the subscription level.

{
  "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "rgName": {
      "type": "string"
    },
    "rgLocation": {
      "type": "string"
    }
  },
  "variables": {},
  "resources": [
    {
      "type": "Microsoft.Resources/resourceGroups",
      "apiVersion": "2020-10-01",
      "name": "[parameters('rgName')]",
      "location": "[parameters('rgLocation')]",
      "properties": {}
    },
    {
      "type": "Microsoft.Resources/deployments",
      "apiVersion": "2020-10-01",
      "name": "lockDeployment",
      "resourceGroup": "[parameters('rgName')]",
      "dependsOn": [
        "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]"
      ],
      "properties": {
        "mode": "Incremental",
        "template": {
          "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
          "contentVersion": "1.0.0.0",
          "parameters": {},
          "variables": {},
          "resources": [
            {
              "type": "Microsoft.Authorization/locks",
              "apiVersion": "2016-09-01",
              "name": "rgLock",
              "properties": {
                "level": "CanNotDelete",
                "notes": "Resource group and its resources should not be deleted."
              }
            }
          ],
          "outputs": {}
        }
      }
    }
  ],
  "outputs": {}
}

將鎖定套用至資源群組內的 資源 時,請新增 [範圍] 屬性。When applying a lock to a resource within the resource group, add the scope property. 將 [範圍] 設定為要鎖定之資源的名稱。Set scope to the name of the resource to lock.

下列範例顯示的範本會在網站上建立 app service 方案、網站和鎖定。The following example shows a template that creates an app service plan, a website, and a lock on the website. 鎖定的範圍會設定為網站。The scope of the lock is set to the website.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "hostingPlanName": {
      "type": "string"
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]"
    }
  },
  "variables": {
    "siteName": "[concat('ExampleSite', uniqueString(resourceGroup().id))]"
  },
  "resources": [
    {
      "type": "Microsoft.Web/serverfarms",
      "apiVersion": "2020-12-01",
      "name": "[parameters('hostingPlanName')]",
      "location": "[parameters('location')]",
      "sku": {
        "tier": "Free",
        "name": "f1",
        "capacity": 0
      },
      "properties": {
        "targetWorkerCount": 1
      }
    },
    {
      "type": "Microsoft.Web/sites",
      "apiVersion": "2020-12-01",
      "name": "[variables('siteName')]",
      "location": "[parameters('location')]",
      "dependsOn": [
        "[resourceId('Microsoft.Web/serverfarms', parameters('hostingPlanName'))]"
      ],
      "properties": {
        "serverFarmId": "[parameters('hostingPlanName')]"
      }
    },
    {
      "type": "Microsoft.Authorization/locks",
      "apiVersion": "2016-09-01",
      "name": "siteLock",
      "scope": "[concat('Microsoft.Web/sites/', variables('siteName'))]",
      "dependsOn": [
        "[resourceId('Microsoft.Web/sites', variables('siteName'))]"
      ],
      "properties": {
        "level": "CanNotDelete",
        "notes": "Site should not be deleted."
      }
    }
  ]
}

Azure PowerShellAzure PowerShell

您可以使用 Azure PowerShell 以 New-AzResourceLock 命令鎖定已部署的資源。You lock deployed resources with Azure PowerShell by using the New-AzResourceLock command.

若要鎖定資源,請提供資源的名稱、其資源類型,以及其資源群組名稱。To lock a resource, provide the name of the resource, its resource type, and its resource group name.

New-AzResourceLock -LockLevel CanNotDelete -LockName LockSite -ResourceName examplesite -ResourceType Microsoft.Web/sites -ResourceGroupName exampleresourcegroup

若要鎖定資源群組,請提供資源群組的名稱。To lock a resource group, provide the name of the resource group.

New-AzResourceLock -LockName LockGroup -LockLevel CanNotDelete -ResourceGroupName exampleresourcegroup

若要取得鎖定的相關資訊,請使用 Get-AzResourceLockTo get information about a lock, use Get-AzResourceLock. 若要取得訂用帳戶中的所有鎖定,請使用︰To get all the locks in your subscription, use:

Get-AzResourceLock

若要取得資源的所有鎖定,請使用︰To get all locks for a resource, use:

Get-AzResourceLock -ResourceName examplesite -ResourceType Microsoft.Web/sites -ResourceGroupName exampleresourcegroup

若要取得資源群組的所有鎖定,請使用︰To get all locks for a resource group, use:

Get-AzResourceLock -ResourceGroupName exampleresourcegroup

若要刪除資源的鎖定,請使用:To delete a lock for a resource, use:

$lockId = (Get-AzResourceLock -ResourceGroupName exampleresourcegroup -ResourceName examplesite -ResourceType Microsoft.Web/sites).LockId
Remove-AzResourceLock -LockId $lockId

若要刪除資源群組的鎖定,請使用:To delete a lock for a resource group, use:

$lockId = (Get-AzResourceLock -ResourceGroupName exampleresourcegroup).LockId
Remove-AzResourceLock -LockId $lockId

Azure CLIAzure CLI

您可使用 az lock create 命令,透過 Azure CLI 來鎖定已部署的資源。You lock deployed resources with Azure CLI by using the az lock create command.

若要鎖定資源,請提供資源的名稱、其資源類型,以及其資源群組名稱。To lock a resource, provide the name of the resource, its resource type, and its resource group name.

az lock create --name LockSite --lock-type CanNotDelete --resource-group exampleresourcegroup --resource-name examplesite --resource-type Microsoft.Web/sites

若要鎖定資源群組,請提供資源群組的名稱。To lock a resource group, provide the name of the resource group.

az lock create --name LockGroup --lock-type CanNotDelete --resource-group exampleresourcegroup

若要取得鎖定的相關資訊,請使用 az lock listTo get information about a lock, use az lock list. 若要取得訂用帳戶中的所有鎖定,請使用︰To get all the locks in your subscription, use:

az lock list

若要取得資源的所有鎖定,請使用︰To get all locks for a resource, use:

az lock list --resource-group exampleresourcegroup --resource-name examplesite --namespace Microsoft.Web --resource-type sites --parent ""

若要取得資源群組的所有鎖定,請使用︰To get all locks for a resource group, use:

az lock list --resource-group exampleresourcegroup

若要刪除資源的鎖定,請使用:To delete a lock for a resource, use:

lockid=$(az lock show --name LockSite --resource-group exampleresourcegroup --resource-type Microsoft.Web/sites --resource-name examplesite --output tsv --query id)
az lock delete --ids $lockid

若要刪除資源群組的鎖定,請使用:To delete a lock for a resource group, use:

lockid=$(az lock show --name LockSite --resource-group exampleresourcegroup  --output tsv --query id)
az lock delete --ids $lockid

REST APIREST API

您可以使用管理鎖定的 REST API,來鎖定已部署的資源。You can lock deployed resources with the REST API for management locks. 此 REST API 可讓您建立及刪除鎖定,以及抓取現有鎖定的相關資訊。The REST API enables you to create and delete locks, and retrieve information about existing locks.

若要建立鎖定,請執行:To create a lock, run:

PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/locks/{lock-name}?api-version={api-version}

範圍可以是訂用帳戶、資源群組或資源。The scope could be a subscription, resource group, or resource. lock-name 是您想要命名鎖定的任何名稱。The lock-name is whatever you want to call the lock. api-version 請使用 2016-09-01For api-version, use 2016-09-01.

在要求中,包含指定鎖定屬性的 JSON 物件。In the request, include a JSON object that specifies the properties for the lock.

{
  "properties": {
  "level": "CanNotDelete",
  "notes": "Optional text notes."
  }
}

後續步驟Next steps