Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This guide explains how to use the Administrative Lock feature introduced in NNF 8.2 to lock or unlock a fabric resource in Azure. The lock prevents any configuration changes while still allowing safe read operations. This feature is available for both existing and new deployments.
The Administrative Lock feature provides a mechanism to control write and update operations to your Network Fabric environment. When locked, the fabric rejects all Create, Update, and Delete (CUD) operations, ensuring configuration integrity during critical events such as maintenance, incident response, or staged deployments.
Key Behaviors
- When locked, all configuration changes are blocked—including those initiated by the user or the Azure service.
- The current lock status is visible on the Fabric resource under the
Fabric Lock Propertiesblock. - The lock can be toggled via a POST action using ARM APIs or Azure CLI.
Prerequisites
- Azure CLI version
8.0.0b3or later is installed.
Check Current Fabric Lock Status
Before applying or removing an administrative lock, you can query the current lock status of your fabric using the following CLI command:
az networkfabric fabric show \
-g <resource-group-name> \
--resource-name <fabric-name> \
--query "fabricLocks[?lockType=='Administrative'].{Type:lockType,State:lockState}" \
-o table
Parameters:
-gor--resource-group: Name of the resource group containing the fabric.--resource-name: Name of your Network Fabric resource.--query: Filters the output to show only Administrative lock type and its current state.-o table: Formats the output as a table for better readability.
Example
az networkfabric fabric show \
-g nf-rg-prod \
--resource-name nf-eastus-prod \
--query "fabricLocks[?lockType=='Administrative'].{Type:lockType,State:lockState}" \
-o table
This command will display the current administrative lock status (Locked or Unlocked) for the specified fabric.
How to Use the Azure CLI to Lock or Unlock a Fabric
You can apply or remove the administrative lock using the following CLI command:
az networkfabric fabric lock-fabric \
--action {Lock | Unlock} \
--lock-type Administrative \
--network-fabric-name <fabric-name> \
--resource-group <resource-group-name>
Parameters:
--action: SpecifyLockorUnlockto change the fabric's state.--lock-type: Set toAdministrative.--network-fabric-name: Name of your Network Fabric resource.--resource-group: (Optional) Name of the resource group containing the fabric.
Example
az networkfabric fabric lock-fabric \
--action Lock \
--lock-type Administrative \
--network-fabric-name nf-eastus-prod \
--resource-group nf-rg-prod
This command will place the fabric in a locked state, preventing any configuration changes.
Supported and unsupported actions post administrative lock
| Action Type | Supported resource actions when fabric is under administrative lock Resources | Unsupported resource actions when fabric is under administrative lock |
|---|---|---|
| Resource Actions (CUD) | - NFC: Update operation allowed - All read operations on all Network Fabric resources |
- L2 ISD - L3 ISD - RCF - IPPrefix (if connected to RCF) - IPCommunity (if connected to RCF) - IPExtendedCommunity (if connected to RCF) - ACL - Internal Networks - External Networks - Network Packet Broker (NPB) - Network TAP - TAP Rule - Neighbor Group - Network Monitor - Network Fabric - Network Device |
| Post Actions | - Unlock Fabric (administrative state) | All other post actions are blocked |
| Service Actions / Geneva | (None supported) | All service actions are blocked |