What is Azure Resource Manager?

In this article, we will look at the broader offering and assess the different automation solutions available within Azure.

What is Azure Resource Manager?

Azure Resource Manager is the second implementation of Azure. It understands the fundamentals of application lifecycle management and the intelligence of environments management. It has built the API’s ground up, allowing you to control every component/resource programmatically.

Azure is currently at its second implementation. It started out as Azure classic portal or Azure Service Management Model (ASM) which had API-level access to manage components. The functionality of this API-level access was very limiting.

The benefits of using Azure Resource Manager

• You can deploy, manage, and monitor all the resources for your solution as a group, rather than handling these resources individually.
• You can repeatedly deploy your solution throughout the development lifecycle and have confidence that your resources are deployed in a consistent state.
• You can manage your infrastructure through declarative templates rather than scripts.
• You can define the dependencies between resources so that they are deployed in the correct order.
• You can apply access control to all services in your resource group because Role-Based Access Control (RBAC) is natively integrated into the management platform.
• You can apply tags to resources to logically organise all the resources in your subscription.
• You can clarify your organisation’s billing by viewing costs for a group of resources that share the same tag.

What does Azure Resource Manager offer?

Resource Groups

With Azure Resource Manager, all resources are created within a resource group. A resource group is a container that holds related resources for an application. The resource group could include all the resources for an application, or only those resources that are grouped logically. You can decide how you want to allocate resources to resource groups based on what makes the most sense for your organisation.

There are some important factors to consider when defining your resource group:

• All the resources in your group should share the same lifecycle. You will deploy, update, and delete them together. If one resource, such as a database server, needs to exist on a different deployment cycle, it should be in another resource group.
• Each resource can only exist in one resource group.
• You can add or remove a resource to a resource group at any time.
• You can move a resource from one resource group to another group.
• A resource group can contain resources that reside in different regions.
• A resource group can be used to scope access control for administrative actions.
• A resource can be linked to a resource in another resource group when the two resources must interact with each other but do not share the same lifecycle (for example, multiple apps connecting to a database).

Deployment Templates

You can apply Infrastructure as Code to Azure deployments by taking advantage of the ease of repeatability for configurations that the Azure Resource Manager templates enable.

Access Control

Azure Resource Manager allows you to control who has access to specific actions for your organisation. It natively integrates Role-Based Access Control (RBAC) into the management platform and applies that access control to all services in your resource group.

You can add users to predefined platforms and resource-specific roles, and then apply those roles to a subscription, resource group, or other resources to limit access.

Tags

Azure Resource Manager enables you to logically organise resources by applying tags. The tags consist of key/value pairs that identify resources with properties that you define.

When you view resources with a tag, you see resources from all of your resource groups. Because you are not limited to only the resources that are in the same resource group, you can organise your resources in a way that is independent of the deployment relationships. Tags can be particularly helpful when you need to organise resources for billing or management.

Resource Locks

As an administrator, you might need to lock a subscription, resource group, or resource to prevent other users in your organisation from accidentally deleting or modifying critical resources. You can set the lock level to CanNotDelete or ReadOnly:

• CanNotDelete means that authorised users can still read and modify a resource, but they can’t delete the resource.
• ReadOnly means authorised users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorised users to the permissions granted by the Reader role.

Azure Resource Manager locks apply only to operations that happen in the management plane, which consists of operations sent to https://management.azure.com. The locks do not restrict how resources perform their own functions. Resource changes are restricted, but resource operations are not restricted.

Unlike RBAC, management locks are used to apply a restriction across all users and roles. To learn about setting permissions for users and roles, see Azure Role-Based Access Control.

When you apply a lock at a parent scope, all resources within that scope inherit the same lock. Even resources that you add later inherit the lock from the parent. The most restrictive lock in the inheritance takes precedence.

To create a lock, see Creating a Lock through the Portal.