Use Azure Resource Manager
1
�Introduction
Completed100 XP
3 minutes
Scenario
Your company is beginning to create resources in Azure. There is no
organizational plan for standardizing the effort. There have been several
instances where critical resources were inadvertently deleted. It is difficult
to determine who owns which resource.
You need to use resource groups to organize the company's Azure
resources.
Skills measured
Managing resources is part of Exam AZ-104: Microsoft Azure
Administrator.
Manage Azure identities and governance (15–20%)
Manage subscriptions and governance
Configure resource locks.
Manage resource groups.
Deploy and manage Azure compute resources (20–25%)
Configure VMs
Move VMs from one resource group to another.
Learning objectives
In this module, you'll learn how to:
Identify the features and usage cases for Azure Resource Manager.
Describe each Azure Resource Manager component and its usage.
Organize your Azure resources with resource groups.
Apply Azure Resource Manager locks.
Move Azure resources between groups, subscriptions, and regions.
Remove resources and resource groups.
Apply and track resource limits.
2
�Prerequisites
None
Next unit: Review Azure Resource Manager benefits
Review Azure Resource Manager
benefits
Completed100 XP
3 minutes
The infrastructure for your application is typically made up of many
components – maybe a virtual machine, storage account, and virtual
network, or a web app, database, database server, and third-party
services. These components are not separate entities, instead they are
related and interdependent parts of a single entity. You want to deploy,
manage, and monitor them as a group.
Azure Resource Manager enables you to work with the resources in your
solution as a group. You can deploy, update, or delete all the resources for
your solution in a single, coordinated operation. You use a template for
deployment and that template can work for different environments such
as testing, staging, and production. Azure Resource Manager provides
security, auditing, and tagging features to help you manage your
resources after deployment.
Consistent management layer
Azure Resource Manager provides a consistent management layer to
perform tasks through Azure PowerShell, Azure CLI, Azure portal, REST
API, and client SDKs. Choose the tools and APIs that work best for you.
The following image shows how all the tools interact with the same Azure
Resource Manager API. The API passes requests to the Azure Resource
Manager service, which authenticates and authorizes the requests. Azure
Resource Manager then routes the requests to the appropriate resource
providers.
3
�Benefits
Azure Resource Manager provides several benefits:
You can deploy, manage, and monitor all the resources for your
solution as a group, rather than handling these resources individually.
You can repeatedly deploy your solution throughout the development
lifecycle and have confidence your resources are deployed in a
consistent state.
You can manage your infrastructure through declarative templates
rather than scripts.
You can define the dependencies between resources so they're
deployed in the correct order.
You can apply access control to all services in your resource group
because Role-Based Access Control (RBAC) is natively integrated into
the management platform.
You can apply tags to resources to logically organize all the resources
in your subscription.
You can clarify your organization's billing by viewing costs for a group
of resources sharing the same tag.
Guidance
The following suggestions help you take full advantage of Azure Resource
Manager when working with your solutions.
Define and deploy your infrastructure through the declarative syntax
in Azure Resource Manager templates, rather than through
imperative commands.
Define all deployment and configuration steps in the template. You
should have no manual steps for setting up your solution.
4
� Run imperative commands to manage your resources, such as to
start or stop an app or machine.
Arrange resources with the same lifecycle in a resource group. Use
tags for all other organizing of resources.
Next unit: Review Azure resource terminology
Review Azure resource
terminology
Completed100 XP
3 minutes
If you're new to Azure Resource Manager, there are some terms you might
not be familiar with.
resource - A manageable item that is available through Azure. Some
common resources are a virtual machine, storage account, web app,
database, and virtual network, but there are many more.
resource group - A container that holds related resources for an
Azure solution. The resource group can include all the resources for
the solution, or only those resources that you want to manage as a
group. You decide how you want to allocate resources to resource
groups based on what makes the most sense for your organization.
resource provider - A service that supplies the resources you can
deploy and manage through Resource Manager. Each resource
provider offers operations for working with the resources that are
deployed. Some common resource providers are Microsoft.Compute,
which supplies the virtual machine resource, Microsoft.Storage, which
supplies the storage account resource, and Microsoft.Web, which
supplies resources related to web apps.
template - A JavaScript Object Notation (JSON) file that defines one
or more resources to deploy to a resource group. It also defines the
dependencies between the deployed resources. The template can be
used to deploy the resources consistently and repeatedly.
declarative syntax - Syntax that lets you state "Here is what I
intend to create" without having to write the sequence of
programming commands to create it. The Resource Manager
template is an example of declarative syntax. In the file, you define
the properties for the infrastructure to deploy to Azure.
5
�Resource providers
Each resource provider offers a set of resources and operations for
working with an Azure service. For example, if you want to store keys and
secrets, you work with the Microsoft.KeyVault resource provider. This
resource provider offers a resource type called vaults for creating the key
vault.
The name of a resource type is in the
format: {resource-provider}/{resource-type}. For example, the key
vault type is Microsoft.KeyVault/vaults.
Note
Before deploying your resources, you should gain an understanding of the
available resource providers. Knowing the names of resource providers
and resources helps you define resources you want to deploy to Azure.
Also, you need to know the valid locations and API versions for each
resource type.
Next unit: Create resource groups
Create resource groups
Completed100 XP
3 minutes
Resources can be deployed to any new or existing resource group.
Deployment of resources to a resource group becomes a job where you
can track the template execution. If deployment fails, the output of the
job can describe why the deployment failed. Whether the deployment is a
single resource to a group or a template to a group, you can use the
information to fix any errors and redeploy. Deployments are incremental;
if a resource group contains two web apps and you decide to deploy a
third, the existing web apps will not be removed.
Considerations
Resource Groups are at their simplest a logical collection of resources.
There are a few rules for resource groups.
6
� Resources can only exist in one resource group.
Resource Groups cannot be renamed.
Resource Groups can have resources of many different types
(services).
Resource Groups can have resources from many different regions.
Creating resource groups
There are some important factors to consider when defining your resource
group:
All the resources in your group should share the same lifecycle. You
deploy, update, and delete them together. If one resource, such as a
database server, needs to exist on a different deployment cycle it
should be in another resource group.
Each resource can only exist in one resource group.
You can add or remove a resource to a resource group at any time.
You can move a resource from one resource group to another group.
Limitations do apply to moving resources.
A resource group can contain resources that reside in different
regions.
A resource group can be used to scope access control for
administrative actions.
A resource can interact with resources in other resource groups. This
interaction is common when the two resources are related but don't
share the same lifecycle (for example, web apps connecting to a
database).
When creating a resource group, you need to provide a location for that
resource group. You may be wondering, "Why does a resource group need
a location? And, if the resources can have different locations than the
resource group, why does the resource group location matter at all?" The
resource group stores metadata about the resources. Therefore, when you
specify a location for the resource group, you're specifying where that
metadata is stored. For compliance reasons, you may need to ensure that
your data is stored in a particular region.
Note
By scoping permissions to a resource group, you can add/remove and
modify resources easily without having to recreate assignments and
scopes.
Next unit: Create Azure Resource Manager locks
7
�Create Azure Resource Manager
locks
Completed100 XP
3 minutes
A common concern with resources provisioned in Azure is the ease with
which they can be deleted. An over-zealous or careless administrator can
accidentally erase months of work with a few steps. Resource Manager
locks allow organizations to put a structure in place that prevents the
accidental deletion of resources in Azure.
You can associate the lock with a subscription, resource group, or
resource.
Locks are inherited by child resources.
Lock types
There are two types of resource locks.
Read-Only locks, which prevent any changes to the resource.
Delete locks, which prevent deletion.
Note
8
�Only the Owner and User Access Administrator roles can create or delete
management locks.
Next unit: Reorganize Azure resources
Reorganize Azure resources
Completed100 XP
3 minutes
Sometimes you may need to move resources to either a new subscription
or a new resource group in the same subscription.
When moving resources, both the source group and the target group are
locked during the operation. Write and delete operations are blocked on
the resource groups until the move completes. This lock means you can't
add, update, or delete resources in the resource groups. Locks don't mean
the resources aren't available. For example, if you move a virtual machine
to a new resource group, an application can still access the virtual
machine.
Limitations
Before beginning this process be sure to read the Move operation support
for resources page. This page details what resources can be moved
between resources group, subscriptions, and regions.
9
�Implementation
To move resources, select the resource group containing those resources,
and then select the Move button. Select the resources to move and the
destination resource group. Acknowledge that you need to update scripts.
Note
Just because a service can be moved doesn’t mean there aren’t
restrictions. For example, you can move a virtual network, but you must
also move its dependent resources, like gateways.
Next unit: Remove resources and resource groups
Continue
Remove resources and resource
groups
Completed100 XP
3 minutes
Use caution when deleting a resource group. Deleting a resource group
deletes all the resources contained within it. That resource group might
contain resources that resources in other resource groups depend on.
10
�Using PowerShell to delete resource groups
To remove a resource group use, Remove-AzResourceGroup. In this
example, we are removing the ContosoRG01 resource group from the
subscription. The cmdlet prompts you for confirmation and returns no
output.
Copy
Remove-AzResourceGroup -Name "ContosoRG01"
Removing resources
You can also delete individual resources within a resource group. For
example, here we are deleting a virtual network. Instead, of deleting you
can move the resource to another resource group.
Next unit: Determine resource limits
11
�Determine resource limits
Completed100 XP
3 minutes
Azure lets you view resource usage against limits. This is helpful to track
current usage, and plan for future use.
The limits shown are the limits for your subscription.
When you need to increase a default limit, there is a Request
Increase link.
All resources have a maximum limit listed in Azure limits.
If you are at the maximum limit, the limit can't be increased.
Next unit: Knowledge check
Knowledge check
Completed200 XP
3 minutes
Choose the best response for each question. Then select Check your
answers.
1.
A new project has several resources that need to be administered
together. Which of the following strategies would provide a good
solution?
Azure templates
12
�Incorrect. Azure templates are for deploying resources, not
administrative management.
Azure resource groups
Correct. Resource groups make administering resources easy.
Azure subscriptions
2.
Which of the following situations would be good example of when
to use a resource lock?
A ExpressRoute circuit with connectivity back to the on-premises network.
Correct. An ExpressRoute Circuit is a critical resources Resource
locks prevent other users in the organization from accidentally
deleting or modifying critical resources.
A non-production virtual machine used to test occasional application
builds.
A storage account used to temporarily store images processed in a
development environment.
3.
Which of the following is true about resource groups?
Resources can be in only one resource group.
True. Resources can be in only one resource group.
Role-based access control can't be applied to a resource group
Resource groups can be nested.
Next unit: Summary and resources
Continue
Summary and resources
Completed100 XP
3 minutes
13
�Azure Resource Manager is the deployment and management service for
Azure. It provides a management layer that enables you to create,
update, and delete resources in your Azure account. You use management
features, like access control, locks, and tags, to secure and organize your
resources after deployment.
You should now be able to:
Identify the features and usage cases for Azure Resource Manager.
Describe each Azure Resource Manager component and its usage.
Organize your Azure resources with resource groups.
Apply Azure Resource Manager locks.
Move Azure resources between groups, subscriptions, and regions.
Remove resources and resource groups.
Apply and track resource limits.
Learn more
You can learn more by reviewing the following.
Azure Resource Manager documentation
Learn - Control and organize Azure resources with Azure Resource
Manager
All units complete:
14
