Open in app

Sign in

Write

Sign in

MICROSOFT AZURE: USE TAGS FOR ORGANIZING RESOURCES

Organize Azure resources using tags

Governance — Tips and tricks to use tags in Azure

RK Iyer

--

Photo by Mehrad Vosoughi on Unsplash

❑ Background

Recently I visited a department store near my home and was surprised to see a complete change in product tagging & shelf label statergy. On further inquiry, the staff explained to me that this change was not only helping the store in organizing & tracking the products but also improved the overall customer shopping experience. Tags also provide important product information to the customer thereby becoming a great marketing tool for the business & helps in improving the overall operational efficiency of the store in this highly competitive consumable goods market.

Similarly, When it comes to IT, Organizations face problem when different teams provision different cloud resources and it becomes difficult to govern, organize & track the cloud based resources. It becomes inevitable to organize your cloud-based resources to support billing models, cloud accounting approaches, management, and to optimize resource utilization and cost.

In this blog series, I am going to explain tags in Azure, tag statergy & use cases, ways to create tags and also describe how we can use Policy Assignments in Azure to enforce tags for the resources that you provision in Azure.

❑ What is a resource tag?

Azure resource tagging allows you to add additional metadata to a resource that will help in categorization and search for your resources. Tags can be applied to your Azure resources, resource groups, and subscriptions to logically organize them into a taxonomy.

Each tag consists of a name and a value pair. Although the values you include in these pairs is up to you, but the application of a consistent set of global tags is a critical part of an overall governance policy.

Not all resource types support tags. To determine if you can apply a tag to a resource type, see Tag support for Azure resources.

❑ What is your tagging Statergy?

Organization’s tagging statergy depends on operations requirements, business requirement or security requirement.

IT operations tagging focus could be based on workload, application, function, or environment. This reduces the complexity of monitoring assets and simplifies making management decisions based on operational requirements.

Business-aligned tagging focus could be based on accounting, business ownership, or business criticality/impact. This provides improved accounting for costs and value of IT assets to the overall business.

Please find below sample of how tagging can be used by an organization to organize cloud assets.

Sample Tags for an organization

Do not include sensitive information in tags. This includes information that may be personally identifiable, such as an individual’s name or title. Tags are not designed to handle sensitive information.

What are tagging Use cases?

Please find below some of the detailed tagging use cases

Resource Management — Search & track resources — Tags can be used to quickly locate resources associated with specific workloads, environments, ownership groups, cost centers & business units or other important information.

Locate resources with specific environment

Operations management — Tags can be used to provide visibility for the operations management team regarding business commitments and SLAs. e.g. Workloads with criticality Mission-critical, unit-critical, high,medium,low, low. Please refer mission criticality for more details.

Security — Classification of data and security impact is a vital data point for the team, when breaches or other security issues arise. Please refer data classification for more details.

Workload optimization Tag can also help identify the assets required to support a single workload enabling deeper analysis of your mission-critical workloads to make sound architectural decisions.

Group billing data & analyzing cost optimization opportunities — You can use tags to group your billing data. For example, if you’re running multiple VMs for different organizations, use the tags to group usage by cost center. You can also use tags to categorize costs by runtime environment, such as the billing usage for VMs running in the production, development & stage environment.

Cost Analysis for dev & stage environment

Automation run book using tags— Start/Stops, patching, backups, anti-malware. You might have regularly running scripts that can take an action based on a tag value like ShutdownTime or DeprovisionDate.

The link describes whether a resource type supports tags. Tag support for resources — Azure Resource Manager | Microsoft Docs

❑ Create tag in Azure

There are multiple ways to create the Azure tag using Azure Portal, Powershell or Azure CLI

■ Pre-requisites — Required access

There are two ways to get the required access to tag resources.

➊ You can have write access to the Microsoft.Resources/tags resource type. This access lets you tag any resource, even if you don't have access to the resource itself. The Tag Contributor role grants this access.

➋ You can have write access to the resource itself. The Contributor role grants the required access to apply tags to any entity.

Please Note, Currently, the tag contributor role can’t apply tags to resources or resource groups through the portal. It can apply tags to subscriptions through the portal. It supports all tag operations through PowerShell and REST API.

■ Create tag using Azure Portal

To apply a tag to a resource group:

  1. Sign in to the Azure portal.
  2. Navigate to the ResourceGroups for which one you want to create the Azure tag.
  3. On the resource group page, Go to Overview tab, See the Tags (Change) option, Now click on the Click here to add tags link to add the tags.
Provide tag to a resource group

4. Provide the name and value for the tag like below.

Provide Name & Value for the tag

5. Check the Overview tab of the resource group, you can see the newly created tags are getting displayed.

■ Create tags using Powershell command

Please refer below link for creating tags using Powershell

Tag resources, resource groups, and subscriptions for logical organization — Azure Resource Manager | Microsoft Docs

■ Create tags using Azure CLI

Please refer below link for creating tags using Azure CLI

Tag resources, resource groups, and subscriptions for logical organization — Azure Resource Manager | Microsoft Docs

When a tag is applied at a parent scope, all resources within that scope don’t inherit the same tag so tags applied to the resource group or subscription aren’t inherited by the resources.

❑ Assign policies for tag compliance

Now going back to the departmental store example, store employees have to adhere to certain rules & standards while applying tags to products to maintain consistency & uniformity. Store supervisors needs to verify that tagging is not missed for a single product.

Similarly, IT organizations can use Azure Policy to enforce tagging rules and conventions. By creating a policy, you can avoid the scenario of resources being deployed to your subscription that don’t have the expected tags for your organization.

Some of the example policies for tags are -

Add a tag to resource groups — Adds the specified tag and value when any resource group missing this tag is created or updated.

Add a tag to resources — Adds the specified tag and value when any resource missing this tag is created or updated.

➧Add or replace a tag on resource groups — Adds or replaces the specified tag and value when any resource group is created or updated.

➧Inherit a tag from the resource group if missing — Adds the specified tag with its value from the parent resource group when any resource missing this tag is created or updated.

Please refer the link for more details for example policies for tags. Policies for tagging resources — Azure Resource Manager | Microsoft Docs

Lets take an example of below example tag policy which can be leverage

➦ Inherit the tag from a resource group if missing

This inbuilt Azure tag policy helps to add the provided tag with its value from the parent resource group when any of the resources missing this tag is created or updated.

You can see the below path in the Azure Portal to find the definition of this Azure tag Policy

https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fea3f2387-9b95-492a-a190-fcdc54f7b070

Please refer next article of how to enforce the above tags using Azure Policies.

Happy Learning!!!

❑ Reference

Resource naming and tagging decision guide — Cloud Adoption Framework | Microsoft Docs

What is data classification? — Cloud Adoption Framework | Microsoft Docs

Business criticality in cloud management — Cloud Adoption Framework | Microsoft Docs

Tag support for resources — Azure Resource Manager | Microsoft Docs

Please Note — All opinions expressed here are my personal views and not of my employer.

Thought of the moment-

“Only those who dare to fail greatly can ever achieve greatly” Robert F. Kennedy

Azure
Azure Policies
Azure Governance

--

--

RK Iyer

Written by RK Iyer

209 Followers

Architect@Microsoft, Technology Evangelist, Sports Enthusiast! All opinions here are my personal thoughts and not my employers.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams