Share via

Azure resource lock inconsistent behavior

Sushil 0 Reputation points
2025-08-07T14:21:51.4433333+00:00

Hi,

While reporting this question, I was looking for "Network Security Group" in the child tag but could not find it.

This issue is related to inconsistent resource lock behavior observed in Azure.

Summary:

When a resource group has "Delete" type resource lock, resources in that RG cannot be deleted.

There is a specific scenario, when the resource could be deleted. I want to report this observation and seek confirmation/clarification on what should be the correct behavior in the scenario described below:

Scenario:

  1. resource group exists and has a "Delete" lock enabled.
  2. A network security group is deployed under the resource group and has few security rules.
  3. I try to delete a security rule as shown below and I receive an error as shown in the screenshot:

User's image

this error appears to be correct behavior, the resource lock on RG is preventing delete of the security rule.

4.

Now, I try to delete the security rule as shown in the following screenshot:

User's image

and result:

User's image

Observation is that, in spite having resource lock on the RG, its effect on the security rule delete operation depends on the way it is being deleted.

Now question is:

whether security rule delete operation should succeed when the RG has lock, irrespective of the steps followed to delete it?

Please advise.

This similar behavior may also be observed for similar resources with parent and child relationships.

If you are fixing this issue, yokotenkai is advised.

#nsg #resourcelock #securityrule #delete

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Praveen Bandaru 6,850 Reputation points Microsoft External Staff Moderator
    2025-08-08T04:20:30.1433333+00:00

    Hello Sushil
    I understand you're trying to delete the NSG rule but can't because a Lock is set on your resource group. You tried two different methods your first attempt didn't work, but the second one was successful even though the lock was applied at the RG level.

    I also tested both methods in my lab environment, but I couldn't delete the rule when a Lock was applied at the resource group level. Check the below screen shots.

    I clicked the delete option directly, but the operation failed. Please see the screenshot.
    User's image

    Selecting the checkbox, after clicking the top delete option did not work. User's image After changing the resource lock option to 'delete', I tried the first method, but it didn't work for deleting the rule. However, the rule was successfully deleted using the second method. Check the screen shots. Direct deletion isn't working; it's prompting for confirmation before deleting. This issue might be related to the way the deletion is being performed. It’s a good idea to review the deletion method and confirm that it uses the Azure Resource Manager (ARM) control plane, rather than any data plane operations, since only the control plane is affected by locks.
    User's image

    User's image

    User's image

    From my understanding, if you set the lock type to read-only, you won't be able to perform any actions at the resource group level. If you use a delete lock, you can still delete rules at the resource level, but you won't be able to delete the resource itself. Additionally, implementing any new rule is still possible.

    Hope the above answer helps! Please let us know do you have any further queries.

    Please do not forget to "up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.