

Are you taking advantage of Azure’s resource tagging capabilities for optimal visibility? If not, it’s time to get started.
In our recent primer on building a cloud cost governance plan, one of the key elements we covered was the issue of visibility: in order to understand and optimize your Azure bills, you need all the information you can get about the resources you’re paying for.
But if you want to take control manually, in addition to a documented naming convention, you’ll need a well-designed and consistently applied tagging convention will help you with everything from ownership to lifecycle management, as well as enable targeted automation workflows and precise reporting.
In this post, you’ll learn how to design, implement and enforce an effective resource tagging strategy for maximal control over your cloud spend.
Jump to:
Tags let you organize resources and resource groups by assigning them a name:value
pair such as CostCenter:HumanResources
. This can be especially useful when it comes to things like:
Environment:dev
overnight” or “in resource-group-1, delete resources that have been inactive for 90 days”.Suggested read: Top 3 reasons to automate your VMs’ start-stop schedule, by Antoine Jagueneau
Tags let you categorize your Azure resources according to whichever patterns make sense for your organization’s needs.
Creating a global strategy? Then before you start slapping labels on resources left and right, you’re going to want to ask around for some input. Make a list of stakeholders—department heads, team leads, upper management, anyone who might want insights on the company cloud. Try to gather as much information on their needs as you can:
Now that you have a good idea of what types of data your tagging system should account for, it’s time to establish a consistent taxonomy for your tags.
Here’s where it’s useful to understand some basic information architecture concepts; if you’re interested in digging a bit deeper, I highly recommend UXBooth’s intro to taxonomies article.
Because tags are merely strings of text, it’s important to define strict parameters (spelling, prefix/suffix conventions, abbreviations, etc.) governing their use; inconsistent tagging takes a lot of value out of the process. If some people use the value “HR” but others use “humanResources”, it creates a blind spot in your “Department” tag—and a potential for inaccurate reporting.
In a nutshell, a well-designed tagging system:
As we saw earlier, each tag is made up of a name and a value. When coming up with your set of names and their corresponding value options, you really only need to keep two things in mind:
If you’re setting up a tagging system from scratch, it might be helpful to make yourself a simple worksheet with the following columns:
Here’s an example with some commonly used tags to get you started:
Some things to keep in mind when creating your tags:
Tags can be managed from the Azure portal, but this can be inefficient if you have lots of resources to work with. That’s where command line options such as Azure CLI come in handy. Here are some basic tagging operations to give you a feel for the syntax; refer to the official documentation to see everything you can do with tags in Azure CLI.
To list any existing tags in all resource groups within a subscription:
az group list –query [].tags
To create a new “Environment” tag:
az tag create –name Environment
To add the value “dev” to the “Environment” tag:
az tag add-value –name Environment –value dev
To tag the resource group “example-resource-group” with the environment prod
and cost center IT
:
az group update -n example-resource-group –set tags.Environment=prod tags.CostCenter=IT
And here’s what this looks like in the portal:
We’ll say it again—tagging is only as effective as it is consistent. How do you make sure everyone plays by the rules? Azure policies can help.
Policies automatically enforce compliance rules you define. When it comes to tags, this might mean:
Date
tags follows a “##-##-####” formatEnvironment:prod
by default to all resources created within a specific resource groupCostCenter
and Environment
tags mandatory for all resources of a certain typetagStatus:missing
tag automatically to all untagged resourcesHere’s another example of how tags and policies can work together. One best practice we strongly recommend from a user accountability perspective is to assign an “Owner” tag to resources as soon as they’re created—that way, if you need to take action on a given resource, you’ll know exactly who to contact about it.
Suggested read: [Webinar recording] Getting started with Azure Resource Graph, by Stephane Lapointe
Enforcing this practice can be achieved with an Azure policy that only allows resources to be created if both of these conditions are met:
Owner
tag assigned to itOwner
tag is a valid email address formatWe won’t get into the nitty-gritty of the process here—that’s a post for another day. In the meantime, Microsoft’s documentation has a good step-by-step article on getting started with custom policies, and Azure has several built-in tag-related policies that you can play around with and customize. To access them from your Azure portal, search for “policy”, and select Definitions from the left-hand menu.
At a glance, tags are about as simple as it gets. But taking the time to consider your organization’s needs and design a solid framework for resource tagging will save you a lot of hassle moving forward.
Management wants to know how much the VMs in your development environment have been costing lately? Need to target a set of related resources for automation purposes? There are so many circumstances in which a good set of tags can mean the difference between painstaking and painless.
Get full visibility into who’s shared what with whom, and automate external sharing reviews so they’re performed on an ongoing basis.