Azure Resource Manager (ARM)

Azure Resource Manager (ARM) provides a consistent management layer to deploy, manage, and monitor Azure resources as a group rather than individually. It supports deployment through Azure Portal, PowerShell, CLI, REST API, and SDKs, offering security, auditing, tagging, and access control (RBAC).

Key Benefits of ARM

• Group deployment, management, and monitoring of resources.

• Repeated and consistent deployment through declarative templates (ARM templates).

• Define resource dependencies for correct deployment order.

• Apply RBAC and tags across resources for access control and billing clarity.

• Use templates instead of scripts to manage infrastructure.

Best Practices

• Use declarative templates for deployments.

• Avoid manual steps; define all deployment/configuration in templates.

• Use imperative commands only for resource operations (e.g., start/stop VM).

• Group resources by lifecycle; use tags for other organization.

Terminology

• Resource: Manageable Azure item (VM, storage account, web app, database, etc.).

• Resource Group: Container for related resources with shared lifecycle.

• Resource Provider: Service offering resources (e.g., Microsoft.Compute, Microsoft.Storage, Microsoft.Web).

• ARM Template: JSON file defining resources and dependencies.

• Declarative Syntax: Specifies what to create without step-by-step commands.

Resource Providers

• Provide operations for a given Azure service.

• Example: Microsoft.KeyVault/vaults for Key Vaults.

• Important to know resource types, valid locations, and API versions before deployment.

Resource Group Management

• Deployment: Can deploy resources to new or existing resource groups. Deployments are incremental.

• Rules:

  • A resource exists in only one group.

  • Resource groups cannot be renamed.

  • Can include multiple resource types and regions.

• Creation Guidelines:

  • Share same lifecycle.

  • Can move resources between groups.

  • Can scope access control at group level.

  • Resource group location defines metadata storage.

Resource Manager Locks

• Prevent accidental changes or deletion.

• Types:

  • Read-Only: No changes allowed.

  • Delete: Prevent deletion.

• Only Owners/User Access Administrators can manage locks.

• Inherited by child resources.

Moving Resources

• Resources can be moved to another subscription or resource group.

• Both source and target groups are locked during move.

• Check Move operation support for limitations.

• Dependent resources must also be moved (e.g., gateways with VNets).

Removing Resources & Groups

• Deleting a resource group deletes all contained resources.

• Use caution: other resources may depend on these.

• PowerShell Commands:

  • Remove resource group:

    Remove-AzResourceGroup -Name "ContosoRG01"


  • Delete resource lock:

    Remove-AzResourceLock -LockName <Name> -ResourceGroupName <ResourceGroup>


Resource Limits

• Track resource usage and limits per subscription.

• Increase default limits via support request (cannot exceed max listed in Azure limits).

Demonstration Commands

• Create a lock:

  New-AzResourceLock -LockName <lockName> -LockLevel CanNotDelete -ResourceGroupName <resourceGroupName>


• View locks:

  Get-AzResourceLock


• Remove lock:

  Remove-AzResourceLock -LockName <Name> -ResourceGroupName <ResourceGroup>


✅ Exam Tips

• Understand resource group creation, deployment, and management.

• Know locks, moving resources, and resource removal.

• Be familiar with ARM templates and declarative deployment.