In our recent primer on building a cloud cost governance plan, one of the key elements we covered was the issue of visibility: in order to understand and optimize your Azure bills, you need all the information you can get about the resources you’re paying for.
A well-designed and consistently applied tagging convention will help you in every area of cloud cost governance, from ownership to lifecycle management, as well as enable targeted automation workflows and precise reporting. Ready to dive in? In this post, you’ll learn how to design, implement and enforce an effective resource tagging strategy for maximal control over your cloud spend.
Resource tagging in Azure, the basics
Tags let you organize resources and resource groups by assigning them a name:value pair such as CostCenter:HumanResources. This can be especially useful when it comes to things like:
Access control and compliance: keep track of who can interact with what, and protect sensitive data.
Automation: apply bulk actions to related resources automatically, e.g. “shut down all VMs with the tag Environment:dev overnight” or “in resource-group-1, delete resources that have been inactive for 90 days”.
Cost governance: tags assigned to resources and groups are included in your detailed invoice CSV and, as of this year, in the Cost Management Portal APIs. This lets you filter resources according to a common project, customer, department, etc., to facilitate reporting (how much is a particular application/workload costing?) and chargebacks (which department is responsible for which costs?).
What tags do you need?
Tags let you categorize your Azure resources according to whichever patterns make sense for your organization’s needs. Creating a global strategy? Then before you start slapping labels on resources left and right, you’re going to want to ask around for some input. Make a list of stakeholders—department heads, team leads, upper management, anyone who might want insights on the company cloud. Try to gather as much information on their needs as you can:
How does billing divide the organization for chargeback purposes? By department? By project?
Are there any department-specific codes (e.g. for cost centers) or taxonomies you should be aware of?
What information does upper management want to see on reports?
How does each department hold its users accountable for resource use?
Establishing a consistent taxonomy for your tags
Now that you have a good idea of what types of data your tagging system should account for, it’s time to draft an action plan.
Because tags are merely strings of text, it’s important to define strict parameters (spelling, prefix/suffix conventions, abbreviations, etc.) governing their use; inconsistent tagging takes a lot of value out of the process. If some people use the value “HR” but others use “humanResources”, it creates a blind spot in your “Department” tag—and a potential for inaccurate reporting.
As we saw earlier, each tag is made up of a name and a value. If you’re setting up a tagging system from scratch, it might be helpful to make yourself a simple worksheet with the following columns:
Description. Define what each tag should be used to identify.
Tag name. The exact term used for the tag, e.g. “Department”, “Project”
Values. List all potential values for each tag name, e.g. “finance”, “website1”. If the list of potential values isn’t finite (employee names/numbers, dates, etc.), specify formatting to maintain consistency
Here’s an example with some commonly used tags to get you started:
Some things to keep in mind when creating your tags:
Tags aren’t inherited hierarchically from resource group to resource
A single resource can be assigned up to 15 tags. If that isn’t enough, you can work around it by creating a single tag containing multiple values (e.g. a “Project” tag with the values “Environment:dev” and “MaxUpTime:14days”). The JSON notation can be very handy to express multiple values or more complex data than single string value.
Tag names can have up to 512 characters; values can have up to 256
Tags in Azure are not case-sensitive
These characters aren’t supported with tags: < > % & / \ ?
Next step: create and manage tags from Azure CLI
Tags can be managed from the Azure portal, but this can be inefficient if you have lots of resources to work with. That’s where command line options such as Azure CLI come in handy. Here are some basic tagging operations to give you a feel for the syntax; refer to the official documentation to see everything you can do with tags in Azure CLI.
To list any existing tags in all resource groups within a subscription:
az group list --query .tags
To create a new “Environment” tag:
az tag create --name Environment
To add the value “dev” to the “Environment” tag:
az tag add-value --name Environment --value dev
To tag the resource group “example-resource-group” with the environment “prod” and cost center “IT”:
az group update -n example-resource-group --set tags.Environment=prod tags.CostCenter=IT
And here’s what this looks like in the portal:
Enforce tagging rules with Azure policies
We’ll say it again—tagging is only as effective as it is consistent. How do you make sure everyone plays by the rules? Azure policies can help.
Policies automatically enforce compliance rules you define. When it comes to tags, this might mean:
Making sure the value for all “Date” tags follows a “##-##-####” format
Assigning the tag “Environment:prod” by default to all resources created within a specific resource group
Making the CostCenter and Environment tags mandatory for all resources of a certain type
Appending a “tagStatus:missing” tag automatically to all untagged resources
Here’s another example of how tags and policies can work together. One best practice we strongly recommend from a user accountability perspective is to assign an “Owner” tag to resources as soon as they’re created—that way, if you need to take action on a given resource, you’ll know exactly who to contact about it.
Enforcing this practice can be achieved with an Azure policy that only allows resources to be created if both of these conditions are met:
The resource has an “Owner” tag assigned to it
The value of the “Owner” tag is a valid email address format
We won’t get into the nitty-gritty of the process here—that’s a post for another day. In the meantime, Microsoft’s documentation has a good step-by-step article on getting started with custom policies, and Azure has several built-in tag-related policies that you can play around with and customize. To access them from your Azure portal, search for “policy”, and select Definitions from the left-hand menu.
Tags are deceptively powerful
At a glance, tags are about as simple as it gets. But taking the time to consider your organization’s needs and design a solid framework for resource tagging will save you a lot of hassle moving forward. Management wants to know how much ExampleWorkload has been costing lately? Need to target a set of related resources for automation purposes? There are so many circumstances in which a good set of tags can mean the difference between painstaking and painless.