Over the past three posts, we created the foundational infrastructure, segmented the virtual network with a dedicated FTP subnet, secured it with a Network Security Group, and worked with our virtual machine and storage account.
We are going to add tags to our resources so the team can track what is what, and we will apply a resource lock to our VM to avoid accidental deletion.
This post wraps up the series. Ensure you have the guided-project-vm virtual machine and guided-project-vnet virtual network from the previous exercises already in place.
What Are Tags?
Tags are simple key-value pairs you attach to Azure resources. A tag might look like Department: Customer Service or Purpose: FTP Server. They do not affect how a resource behaves; they just add metadata that makes filtering, reporting, and cost tracking easier.
Imagine this: Your finance team asks for a cost breakdown by department, and you have no way to filter spending. Or worse, someone accidentally deletes the production VM during a routine cleanup. Both scenarios are nightmares. Tags and resource locks exist to prevent exactly these disasters, and they take about 5 minutes to set up.
What Are Resource Locks?
A resource lock is exactly what it sounds like: a safeguard that prevents a resource from being modified or deleted, even by users who have permission to do so. Azure offers two lock types:
Delete — prevents deletion, but allows modifications.
ReadOnly — prevents both deletion and modifications.
Locks are especially useful for critical infrastructure. If a VM is running a production workload, a Delete lock means no one — including an admin having a bad day can remove it without first explicitly removing the lock. It is a simple but powerful safety net.
Task 1: Add Tags and a Lock to the Virtual Machine
We will start with the VM, since it needs both tags and a lock. It is efficient to handle both. Add Tags to the VM
Step 1: Log in to the Azure portal.
Step 2: In the search bar, type Virtual machines and select it under Services.
Step 3: Select guided-project-vm from the list.
Step 4: In the left-hand menu, select Tags.
On the first row, enter Department for Name and Customer Service for Value. On the second row, enter Purpose for Name and FTP Server for Value. Click Apply.
The VM is now tagged. Anyone browsing resources across the subscription can immediately see what this machine does and who it serves.
Add a Delete Lock to the VM
While we are still in the VM blade, let us add the lock. No need to navigate away. In the left-hand menu, expand Settings if it is not already open.
Step 1: Select Locks.
Step 2: Click + Add.
Step 3: For Name, enter VM-delete-lock.
Step 4: For Lock type, select Delete.
Optionally, add a note explaining the lock. This note is visible to anyone who encounters the lock later, which helps avoid confusion.
Step 5: Click OK.
The VM is now protected. Attempts to delete guided-project-vm will be blocked until this lock is removed, and removing a lock is a deliberate action that requires navigating to the Locks blade.
Click Home to return to the portal home page.
Task 2: Add Tags to the Virtual Network
The VNet doesn't need a lock, but it should be tagged for the same visibility reasons. Notice that when you go to add tags here, Azure will offer Department as an existing tag name. It learned this from the tag we already applied to the VM. You can reuse it and just set a different value.
From the portal home page, search for Virtual networks and select it.
Step 1: Select guided-project-vnet.
Step 2: In the left-hand menu, select Tags.
Step 3: For Name, select Department from the dropdown (it should appear as an existing tag). For Value, enter IT.
Step 4: Click Apply.
The VNet is now tagged and attributed to the IT department.
Here is a snapshot of everything in place:
This is a real-world Azure environment pattern: segmented networking, tightened security rules, tagged resources for cost tracking and visibility, and locked critical infrastructure. These are not just lab exercises; they are the building blocks of how production environments are actually run.
This series covered the fundamentals of Azure resource management. There is a lot more for us to explore together.
In this series, we built a secure, organized, and protected Azure environment. You now know how to:
Segment networks with subnets and NSGs
Tag resources for instant visibility and cost tracking
Lock critical assets to prevent disaster.
Thanks for following along. I will be glad to hear from you. What Azure topic keeps you up? Networking? Cost management? Security? Drop a comment below, and will cover it in the next series.
Top comments (0)