Are you taking advantage of Azure’s resource tagging capabilities for optimal visibility? If not, it’s time to get started.
In our recent primer on building a cloud cost governance plan, one of the key elements we covered was the issue of visibility: in order to understand and optimize your Azure bills, you need all the information you can get about the resources you’re paying for.
But if you want to take control manually, in addition to a documented naming convention, you’ll need a well-designed and consistently applied tagging convention will help you with everything from ownership to lifecycle management, as well as enable targeted automation workflows and precise reporting.
In this post, you’ll learn how to design, implement and enforce an effective resource tagging strategy for maximal control over your cloud spend.
- The basics
- What tags do you need?
- Building your Azure tagging system: best practices
- Create and manage tags with Azure CLI
- Enforce tagging rules with Azure policies
Resource tagging in Azure: the basics
Tags let you organize resources and resource groups by assigning them a
name:value pair such as
CostCenter:HumanResources. This can be especially useful when it comes to things like:
- Access control and compliance: keep track of who can interact with what, and protect sensitive data.
- Automation: apply bulk actions to related resources automatically, e.g. “shut down all VMs with the tag
Environment:devovernight” or “in resource-group-1, delete resources that have been inactive for 90 days”.
- Cost governance: most tags assigned to resources are included in your detailed usage data CSV and, as of last year, in the Cost Management Portal APIs. This lets you filter resources according to a common project, customer, department, etc., to facilitate reporting (how much is a particular application/workload costing?) and chargebacks (which department is responsible for which costs?). However, the usefulness of tags remains limited in Azure’s native cost management offerings, which don’t support tags assigned to resource groups, among other drawbacks.
Suggested read: Top 3 reasons to automate your VMs’ start-stop schedule, by Antoine Jagueneau
What tags do you need?
Tags let you categorize your Azure resources according to whichever patterns make sense for your organization’s needs.
Ensure external users have access to the right things in Teams.
Creating a global strategy? Then before you start slapping labels on resources left and right, you’re going to want to ask around for some input. Make a list of stakeholders—department heads, team leads, upper management, anyone who might want insights on the company cloud. Try to gather as much information on their needs as you can:
- How does billing divide the organization for chargeback purposes? By department? By project?
- Are there any department-specific codes (e.g. for cost centers) or taxonomies you should be aware of?
- What information does upper management want to see on reports?
- How does each department hold its users accountable for resource use?
Best practices for building your Azure tagging system
Now that you have a good idea of what types of data your tagging system should account for, it’s time to establish a consistent taxonomy for your tags.
Here’s where it’s useful to understand some basic information architecture concepts; if you’re interested in digging a bit deeper, I highly recommend UXBooth’s intro to taxonomies article.
Because tags are merely strings of text, it’s important to define strict parameters (spelling, prefix/suffix conventions, abbreviations, etc.) governing their use; inconsistent tagging takes a lot of value out of the process. If some people use the value “HR” but others use “humanResources”, it creates a blind spot in your “Department” tag—and a potential for inaccurate reporting.
In a nutshell, a well-designed tagging system:
- Should leave no room for interpretation in its application
- Must make sense at scale (when adding new names or values)
As we saw earlier, each tag is made up of a name and a value. When coming up with your set of names and their corresponding value options, you really only need to keep two things in mind:
- The names within your set should be mutually exclusive (overlap means there’s room for interpretation) and collectively exhaustive (i.e. address all possible scenarios)
- If the values attached to a given name are finite (e.g. all possible options under the name ‘BusinessUnit’), the above principle of mutually exclusive/collectively exhaustive also applies
If you’re setting up a tagging system from scratch, it might be helpful to make yourself a simple worksheet with the following columns:
- Description. Define what each tag should be used to identify.
- Tag name. The exact term used for the tag, e.g. “Department”, “Project”
- Values. List all potential values for each tag name, e.g. “finance”, “website1”. If the list of potential values isn’t finite (employee names/numbers, dates, etc.), specify formatting to maintain consistency.
Here’s an example with some commonly used tags to get you started:
Some things to keep in mind when creating your tags:
- Tags aren’t inherited hierarchically from resource group to resource
- A single resource can be assigned up to 15 tags. If that isn’t enough, you can work around it by creating a single tag containing multiple values (e.g. a “Project” tag with the values “Environment:dev” and “MaxUpTime:14days”). The JSON notation can be very handy to express multiple values or more complex data than single string value.
- Tag names can have up to 512 characters; values can have up to 256
- Tags in Azure are not case-sensitive
- These characters aren’t supported with tags: < > % & / ?
Next step: create and manage tags from Azure CLI
Tags can be managed from the Azure portal, but this can be inefficient if you have lots of resources to work with. That’s where command line options such as Azure CLI come in handy. Here are some basic tagging operations to give you a feel for the syntax; refer to the official documentation to see everything you can do with tags in Azure CLI.
To list any existing tags in all resource groups within a subscription:
az group list –query .tags
To create a new “Environment” tag:
az tag create –name Environment
To add the value “dev” to the “Environment” tag:
az tag add-value –name Environment –value dev
To tag the resource group “example-resource-group” with the environment
prod and cost center
az group update -n example-resource-group –set tags.Environment=prod tags.CostCenter=IT
And here’s what this looks like in the portal:
Enforce tagging rules with Azure policies
We’ll say it again—tagging is only as effective as it is consistent. How do you make sure everyone plays by the rules? Azure policies can help.
Policies automatically enforce compliance rules you define. When it comes to tags, this might mean:
- Making sure the value for all
Datetags follows a “##-##-####” format
- Assigning the tag
Environment:prodby default to all resources created within a specific resource group
- Making the
Environmenttags mandatory for all resources of a certain type
- Appending a
tagStatus:missingtag automatically to all untagged resources
Here’s another example of how tags and policies can work together. One best practice we strongly recommend from a user accountability perspective is to assign an “Owner” tag to resources as soon as they’re created—that way, if you need to take action on a given resource, you’ll know exactly who to contact about it.
Suggested read: [Webinar recording] Getting started with Azure Resource Graph, by Stephane Lapointe
Enforcing this practice can be achieved with an Azure policy that only allows resources to be created if both of these conditions are met:
- The resource has an
Ownertag assigned to it
- The value of the
Ownertag is a valid email address format
We won’t get into the nitty-gritty of the process here—that’s a post for another day. In the meantime, Microsoft’s documentation has a good step-by-step article on getting started with custom policies, and Azure has several built-in tag-related policies that you can play around with and customize. To access them from your Azure portal, search for “policy”, and select Definitions from the left-hand menu.
Tags are deceptively powerful… but not perfect
At a glance, tags are about as simple as it gets. But taking the time to consider your organization’s needs and design a solid framework for resource tagging will save you a lot of hassle moving forward.
Management wants to know how much the VMs in your development environment have been costing lately? Need to target a set of related resources for automation purposes? There are so many circumstances in which a good set of tags can mean the difference between painstaking and painless.
Ensure external users have access to the right things in Teams.
Get full visibility into who’s shared what with whom, and automate external sharing reviews so they’re performed on an ongoing basis.