How do I know the difference between control and data plane

As a follow up on the previous post: Azure Blob Container override delete lock we need to solve another important question: how do we know on which plane we work, so what resources are impacted?

There is of course the theory which you can go through in the documentation, and often you will find out very fast or it is very clear. But sometimes this can be a challenge to know what is e.g. configuration and what is actual data.

When we look back into the official documentation we get a very good hint:

• For Azure global, the URL is https://management.azure.com.
• For Azure Government, the URL is https://management.usgovcloudapi.net/.
• For Azure Germany, the URL is https://management.microsoftazure.de/.
• For Microsoft Azure operated by 21Vianet, the URL is https://management.chinacloudapi.cn.

Every single Azure environment’s control plane URL starts with management. Data plane actions however typically use a URL that represents the resource the data lives in, e.g.

Where do we find these URLs?

There are multiple places to go look, even deep down into the SDKs (e.g. https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/websites/Azure.ResourceManager.AppService/src/Generated/RestOperations/AppServicePlansRestOperations.cs#L35).

A bit more straight forward is simply look into the docs for the REST API calls to do some of actions you want to know more details on:

Sample: creating storage account

Documentation to create a Storage Account clearly mentions the management url.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{accountName}?api-version=2018-02-01

Sample: create a blob storage container

Documentation to create a Storage Account Container clearly mentions URL of your specific storage account rather than the management URL.

PUT https://myaccount.blob.core.windows.net/mycontainer?restype=container

Recap

• The control plane manages everything related to resources (existance, form, governance, …)
  • Is accessed and ‘managed’ through management URLs.
  • From an RBAC perspective, these are approached by the broad Owner, Contributor, Reader roles and some specific resource ‘management’ roles.
• The data plane provides access to the actual data in a resource.
  • Is accessed through resource-specific URLs.
  • Has its own RBAC roles and sometimes even blocks data access to broad roles, e.g. even an Owner needs Key Vaults Secret Officer/User to access Key Vault secrets.

You can also have a look at John Savill’s video on the topic, which explains the topic (including locks, policies etc) in a very visual format.