Post

Azure Tags | Governance

Posted Updated
Preview Image
By Nicklas Karlsson 8 min read

How to use Azure Tags to ease up your cloud governance

Microsoft Azure offers their customers a flexible cloud platform in terms of deployment and management solutions. But in the real world, organizations face many challenges when it comes to creating a well-defined strategy to balance operational and cost efficiency in the cloud.
Azure tags are a feature introduced in the Azure Resource Manager model, which can be used to logically group and track resources, automate their deployment and most importantly, provide visibility into the costs incurred. This blog post will explore the top features that make Azure tags a must-have in any dynamic Azure environment.

I think you can get some real goodies out of this post… happy reading…


TAGS

Organize resources with Azure Tags

Azure tags are name/value pairs used to organize resources in the Azure portal. You can search tags for individual resources or tag the resource group they are a part of. Implementing a proper tagging strategy can help organizations gain much better control over and increase visibility of the resources contained in their Azure subscription. The name/value pairs can be what helps identify the category a specific resource belongs to. For example, you can add environment-related tags to virtual machines to determine whether the resource belongs to the test, QA, or production environment. The possible tags in this use case could be Environment : Development, Environment : QA or Environment : Production. You can easily sort your resources in the Azure portal using the tags to get a quick overview of all the resources included in your development, QA or production environments, as shown below.

AZURE TAGS

In the Azure Resource Manager (ARM) model, resource groups also provide a grouping function that you can use to group together all resources that share the same lifecycle. However, there is a fundamental difference between the use of resource groups and tags. Resource groups provide an interconnected content structure for managing your resources, starting from provisioning and lifecycle management. Tags, on the other hand, are a loosely coupled form of grouping, and they can be associated with resources from multiple resource groups. You can associate resources with the same tags for several different types of resources within one or more subscriptions to make management and visibility easier.

The role of tags in automation

Azure Automation is a service available in the Azure portal that helps you automate many management tasks related to your Azure and on-premises resources. Azure automation runbooks use PowerShell in the backend. Tags that you assign to resources in Azure can be referenced in automation runbooks to perform specific tasks on the tagged resources. This makes life easier for an administrator who wants to automate tasks for a group of labeled resources, possibly from several resource groups.

AUTOMATION

There are many pre-built runbooks available in the Azure Automation runbooks gallery that can be used to leverage tags. These runbooks can also be reused by updating the name/value of the tags in your Azure environment.

Use of Azure Tags for cost management

The tags you assign to resources are reflected in your detailed Azure usage report, which is available in CSV format from the accounting portal. This report provides insights into costs incurred for the tagged resources, and you can further analyze it by sorting usage based on tags.

“You can also extract all tags via API, PowerShell, CLI, etc. and save the most important data that you need for the purpose. Perhaps integration with their financial system for automatic invoicing based on the tags”
I will write more about this in future blog posts…

I’m not a fan of excel when it comes to visualization, but I use Power BI for this purpose. (however based on the same data, or I can extract my own data and combine as I want to). A possible use case would be if you want to reimburse/invoice Azure resource costs to your respective internal departments. The resources used by the department can be tagged with a cost center name/value pair tag, and the costs incurred by the department can be easily isolated from the usage report with the assigned tag.

TAG REPORT

With the help of Serverless services in Azure, you can easily connect your subscription with Power BI and use tags to pivot your costs or other interesting data

Azure Tags “Best-Practice”

Adding tags for your Azure resources is easy and can be done using Azure Portal, Azure PowerShell, CLI, CoudShell, Terraform, Bicep or ARM JSON templates. You can tag almost any resource in Azure and using this feature is free. The tagging is done at the Azure Platform level and does not affect the performance of resources in any way. However, there are certain rules and limitations in connection with tagging, which users should be aware of:

  • Each resource can have a maximum of 50 tags associated with it. Resources in this case can be individual resources such as VMs, networks, etc. or the resource group they are part of
  • Resources deployed using the classic deployment model (ASM) do not support tagging. It is an exclusive feature of the ARM model.
  • The maximum number of characters for a tag name is 512. For storage accounts, this is limited to 128 characters.
  • The maximum number of characters for a tag value is 256.
  • You should use JSON strings via ARM templates when you want to assign multiple values ​​to a tag name.
  • There is no inheritance hierarchy for tags (eg tags applied at the resource group level will not be inherited by all member resources).
  • The tag name prefixes “Azure”, “Windows” and “Microsoft” are reserved and cannot be used.

For more and updated restrictions/exclusions read more here …

While tagging can help you manage your resources more efficiently, it’s also important to adopt a good tagging strategy that will help you get the most out of this feature. The following guidelines can be used to implement a good tagging strategy:

  • The tags you use should help you identify the context of the resource usage. They can be based on the project name, version, level, environment, data profile, etc. The names and values ​​should be adapted to your organization’s needs.
  • Use a naming standard for resources to maintain consistency in your Azure environment. Define the standards applicable to tags and enforce them using Azure policies or Azure Blueprints.
  • Use tags early, preferably when creating resources. This helps you manage resources more efficiently. Adding tags retroactively is inefficient, and it requires additional administrative overhead to streamline the process.
  • Automate the tagging process using tools like PowerShell, CLI, Terraform, Bicep, ARM templates, etc. I recommend creating standard templates or reusable templates or scripts to optimize the process.
  • Monitor labeling practices and make changes to naming conventions and processes as needed. Sanitation checks of the environment should be carried out regularly to remove those obsolete thorns and avoid a wild thorn flora.

Start Tagging Your Azure Resources NOW!!!

Use Azure Tags in third-party tools

If you use a third-party tool to collect information about your Azure usage and provide you with more comprehensive insights into compliance, security, monitoring, and optimization, you can benefit greatly from the tags used. There are many areas that can benefit from a basic tagging strategy.

Management and monitoring

If you have a management and monitoring tool, with support for Azure-Tags, it will be able to provide detailed information about resources based on the tags associated with your Azure resources. You can also look up resources based on a resource name and find tags associated with it. This gives you a ‘Single-Pane’ view of the tagging strategy implemented by the organization and can help you review and make corrections where necessary.

Compliance with standards

You can compare tags that conform to standards against the tagging strategy of your own organization using custom reports available via, for example, PowerBI. With this information, you can establish rules for your tagging strategy, which can then be used to generate reports on incorrectly tagged resources.

Cost analysis

Tags can really help you produce clear granular reports based on the tags and resources used in your subscription. Alerts/Budgets can be created to keep track of costs incurred by managed resources, and you can add filters based on the tags available.

Control with tag mapping

You can add additional tags to your Azure cost reports based on any of the existing tag names and values ​​in the Azure usage report. This is helpful in scenarios where you want to create reports that summarize the costs incurred by multiple tags in each subscription. This feature enables improved control over the existing tagging strategy by making corrections where needed in terms of cost allocation.

Better insight into Azure inventory and security

Through a simple Power BI Report, you can provide inventory reports on unmarked resources in Azure. These reports can be analyzed by administrators and used to associate with the necessary tags where appropriate. Tools that have built-in compliance and security controls that can be used to provide insights into the environment’s security posture. These reports can be further customized with tags, which facilitates the control of infrastructure management overhead.

Summary

There are a lot of options and areas where tags come in handy. They can give you the third dimension to structure and organize resources.
Take your to time plan for a usable strategy for tags. User Policies and Blueprints to apply and maintain the quality of tags in your cloud infrastructure.

azure, governance
cloud azure governance tags management
This post is licensed under CC BY 4.0 by the author.