Azure Azure Governance

Azure Spring Clean: How to use resource tags to organize your Azure resources

by wmatthyssen


Azure Spring Clean, organized by Joe Carlyle and Thomas Thornton, is a great community initiative to promote well-managed Azure tenants.

Throughout the month of February, a total of 20 blog posts, all about Azure management topics and best practices, will be shared by community members from all over the world. This is truly what community is all about, sharing knowledge and helping people learn new things and improve their skill sets.

You can check out all the other blog posts at https://www.azurespringclean.com. You can also keep an eye on Twitter for the hashtag #AzureSpringClean to know all about it.

For my contribution, I will take a look at Azure resource tags, which can help you organize and better manage all your Azure resources.



What are resource tags?

Resource tags provide you with a way to apply additional metadata to your cloud resources to include information that could (or should) not be included in the resource name. They can also help you to remain in control of your cloud environment and assist you in logically organizing all your resources with properties that you define.

They can be applied to resource groups or resources directly and should be an essential part of your Azure Governance Foundation.

A lot of Azure services, like Azure Cost Management, Azure Policy and Azure Automation can be used to control or use tags to apply actions on specific resources.

In this way, tags become a crucial part of your Azure Governance strategy, and they should be tightly aligned with your naming standards (conventions). Tags are an important part of getting started with a solid Azure Foundation.

You should always plan the management and naming of your tags carefully before using them in your Azure environment(s). Always identify all the commonly used tags upfront and apply them consistently when deploying any new Azure resources. Your tagging approach can be simple or complex, but it’s best to use an IT-aligned focus to reduce its complexity.

Next to resource tags, there are also other types of tags used by some other Azure services and resources, like, for example service tags, which you use to define network access controls on network security groups or on Azure Firewall. These types of tags will not be a part of this blog post.

Most resource types support tags. You can find the complete list of supported resources on this Microsoft Docs page.


Different ways to use resource tags

Tags become very helpful when you need to track resources for billing. For example, they can help you define which department is responsible for paying for specific Azure resources at the end of the month.

Another way you can use resource tags is when you’re running different workloads in separate environments (Hub, Production, Quality Assurance, and Development) in the same Azure subscription. Here, tags can help you quickly organize and manage all the resources between those different environments.

They are also a good way to manage resources related to a specific project. By adding a specific tag to identify the project, you can easily delete all related resources when the project is finished and no longer needed. Tags can assist you in identifying unused resources and, ultimately, reducing your cloud sp€nding.

Besides that, you can use tags in your day-to-day operations, like setting your backup retention period or maintenance window(s) on a resource for use with Azure Backup or Azure Update Management.

Furthermore, they can be used to automatically apply bulk actions to specific resources (automation), like e.g., starting and shutting down virtual machines (VMs) of a distributed workload in sequence (Start/Stop VMs during off-hours solution).


Common resource tag examples

A resource tag always consists of a name and a value (name/value pair). Always define a good tagging convention before deploying it to any resource.

For administration purposes and as a guideline, it is best to record and describe all used (required and optional) tags in your Azure Governance Plan.

You can find some common resource tag examples below:

  • Env: Hub, Env: Prd, Env: Acc, Env: Dev, Env: Tst, Env: Poc
  • Criticality: Mission-critical, Criticality: High, Criticality: Medium, Criticality: Low
  • Owner: wmatthyssen@demo.be, Owner: gpeeters@demo.be
  • Requester: wmatthyssen@demo.be, Requester: gpeeters@demo.be
  • WorkloadName: DomainController, WorkloadName: SAP, WorkloadName: Winfact
  • ManagedBy: CentralIT, ManagedBy: CloudOperations, ManagedBy: MSP
  • Purpose: Networking, Purpose: Storage, Purpose: Management
  • CreatedBy: wmatthyssen@demo.be, CreatedBy: gpeeters@demo.be
  • DataClassification: General, DataClassification: Confidential, DataClassification: Public
  • CostCenter: 23, CostCenter: 24, CostCenter: 25
  • Department: It, Department: Hr, Department: Marketing, Department: Finance
  • Project: A, Project: B, Project: C
  • Compliance: GDPR, Compliance: ISO9001
  • Tier: Web, Tier: App01, Tier: App02
  • ReviewOn: 01-08-2020, ReviewOn: 01-16-2020
  • StartDate: 01-08-2020, StartDate: 01-09-2020
  • EndDate: 01-08-2020, EndDate: 01-09-2020
  • Region: WestEurope, Region: NorthEurope
  • Approver: wmatthyssen@demo.be, Approver: gpeeters@demo.be
  • UpdateSchedule: wus-3th-sun-0800-pm-rir, lus-2nd-sat-0800-pm-nr
  • BackupPolicy: bp-prd-vm-10pm-ir5-d27-w54-m12-y5, BackupPolicy: NoBackup



Characteristics and limitations

Resource tags have some characteristics and limitations that you should be aware of before using them. The most important are listed below:

  • There is a maximum of 50 tags that can be associated with a resource or resource group (currently, storage accounts only support 15 tags).
  • Tags can span resource groups, allowing you to link resources across disparate deployments.
  • You can only use alphanumeric characters (also not case-sensitive) for your tags, with a limitation of 512 characters for the name and 256 characters for the value (for storage accounts, the name is limited to 128 characters).
  • You should use the built-in contributor role (or the contributor role for a specific resource) when applying tags.
  • There is no inheritance (hierarchical inheritance) when a tag is applied to a resource group. So, you need to tag all resources separately in that resource group.
  • Each applied tag is automatically added to the subscription-wide taxonomy.
  • ASM resources, like VMs, Virtual Networks, and Storage Accounts, do not support tagging. You can redeploy them through Resource Manager to be able to apply tags to them. A way around this is to tag the resource group they belong to.


Add, remove, and work with resource tags in the Azure Portal

Using resource tags inside the Azure Portal can be a very simple, yet powerful way to add some additional metadata, categorize, and also search for your Azure resources. Below, you can find some common tasks you can carry out with tags in the portal.

To add (or to view all existing tags) a resource tag for a specific resource (or resource group). Go to the resource and open the Overview page. Next to Tags you will find all currently existing tags for that specific resource. In my example, I used a VM named “vm-myh-web-03.”



To add a new tag to the resource, click Tags (edit). Fill in a new Name and Value for your new tag (like “Project: A”). To save the new tag to your resource, click Save.





From the All resources blade, you can also add new resource tags. From the sidebar, select All Resources. Select a specific resource under “Name” and click on “Assign Tags.”


On the Assign tags page, you can select an existing resource tag (Name and Value) or add a completely new resource tag. Click Save to add the resource tag to the resource (in my example, the “Project: A” resource tag is added).




To view all existing Resource Tags (the list will be empty if you have not yet applied any tags), click on the Tags icon under “FAVORITES” directly from the sidebar (you can pin it through All services if it is not already shown).



In the Tags blade, you can click on a specific tag (Env : Prd), to see or work with all the different resources that have that specific tag applied.



Another way to view all existing resource tags (or manage resources using that tag) is by typing “Tags” in the global search box in the middle of your Azure Portal screen. Then click on Tags under Services to open the Tag blade from there. A nice extra feature when you use it from here is that all links to the Microsoft Docs about Tags will also be shown underneath the Documentation section. When you click on one of those links, an extra tab in your browser will open with that selected webpage.




Manage Azure Compute resources with tags in the Azure Portal

Resource tags can be very useful while working with your Azure IaaS VMs and all dependent resources.

To list all your IaaS VMs with a specific tag, you should open Virtual Machines from the sidebar.



Click on “Add filter” and select the tag(s) for your selection. In my example, I will select all Prd VMs.



When selected, all VMs with the resource tag pair Env: Prd will be shown.



To return a list of all resources that have the resource tag pair “Env: Prd,” go to “All resources” in the sidebar. Click +Add filter on the opened All resources blade. Under Tags select Env and under filter items, select Prd.



This will list all resources that have the Env: Prd tag pair.



Managing resource tags with Azure PowerShell

Like you could already read, resource tags can be managed and created from the Azure portal, but this can be inefficient if you have lots of resources in Azure to work with. That is where Azure PowerShell comes in handy and can help you easily identify and manage all those resources. You can also manage tags using the Azure CLI or by using the Resource Manager REST API, but I will keep it to Azure PowerShell in this post.

In the examples, I used Azure Cloud Shell (http://shell.azure.com) to run all the Azure PowerShell cmdlets. You need to change all variables like ResourceGroupName, ResourceName, Name, and Value as needed.


List all existing resource tags and the number of occurrences for all resource groups within an Azure subscription.

Get-AzTag




When you configure a resource tag, you can also store the name/value pair in a hash table format (Hastable).

$tags = @{Name="Value"}
$tags | Get-Member



Get all resource tags added to a specific resource group.

(Get-AzResourceGroup -Name ResourceGroupName).Tags



Get all resource tags added to a specific resource in a resource group.

(Get-AzResource -ResouceGroupName ResourceGroupName -ResourceName ResourceName).Tags



Tag a resource group with a new Project: A resource tag.

$tags = (Get-AzResourceGroup -Name ResourceGroupName).Tags
$tags.Add("Name","Value") 
Set-AzResourceGroup -name ResourceGroupName -Tag $tags



Tag a resource (vm-myh-web-03) in a resource group (rg-prd-myh-web-01) with a new Project: C resource tag.

$tags = @{Name="Value"} 
$vm = Get-AzResource -ResourceGroupName ResourceGroupName -Name VMName
Set-AzResource -ResourceId $vm.Id -Tag $tags -Force




Remove all tags from a resource group.

Set-AzResourceGroup -Name ResourceGroupName -Tag @{}



This is just a short list of some basic Azure PowerShell tagging operations, just to give you a feel for the syntax. If you want to learn more, I would advise you to check out the official Azure PowerShell documentation.


Use resource tags in Azure Cost Management

Like already said above, tagging is a useful tool to identify a project or the department that is responsible for paying for specific Azure resources at the end of the month. By analyzing your tagged Azure resources and usage data in Azure Cost Management, you can gain insights into your consumption, which in the end can enable better cost management throughout your company and reduce your overall cloud sp€nding.

To check the usage for a specific department (cost analysis) with a tag (CostCenter: IT), select Cost Management + Billing from the sidebar in the Azure Portal. Next, click on Cost Management to open the Cost Management blade.



Select Cost analysis under Cost Management and click on “Add filter“.



Select Tag as the filter item, select the Name (CostCenter) and select the Value (IT).



You should now see all costs or accumulated costs (depending on your selected VIEW) for that specific CostCenter (selected Tag filter).



Just like when working with Cost analysis, you can also use specific resource tags while working with Budgets in Azure Cost Management.




Manage resource tags with Azure Policy

One of the most useful features when it comes to using policies is the ability to tag rules or policies. By creating such policies, you avoid the scenario of resources being deployed to your Azure subscription that do not use the expected (required) tags included in your company’s Azure Governance implementation.

Instead of manually applying tags or searching for resources that are not compliant, you can easily create a policy that automatically applies mandatory or default tags during deployment. Setting resource tags through policies allows you to set them from the beginning of a deployment, sparing you the work to remediate them afterwards on existing resources, which can be a lot of work to figure out.

A best practice is to define tag policies at the subscription level (e.g., subscription policies for required tags). Keep in mind that currently, remediation tasks are not supported in management groups.

To create a tag policy, open Policy in the sidebar and select Assignments.



Click on “Assign policy” and select your Azure subscription (or a management group) as Scope. This activates the Assign policy blade.



To access the policy definition picker page, click on at the end of the Policy Definition field. Because we have a tag policy, type tag in the Search column. This will bring up the list of available tag Policy Definitions.



Select Require tag and its value.



Type in a Description and set Policy enforcement to Enabled. Click Next.



Apply a Tag Name (ResourceOwner) and a Tag Value (wmatthyssen). Click Next (x2).



On the Review + create page, validate all parameters and click on “Create.”



You can check your newly created tag policy under Assignments. Now every newly created resource will have this tag enforced.



You can find more information about using tags with Azure Policy on this Microsoft Docs page.


Summary

Azure resource tags provide a way to quickly organize all your Azure resources. That is why, together with a strong naming convention, they should be a core element in your Azure Governance strategy.

That brings me to the end of this post, and before closing off, I just wanted to say that I am excited to be part of this online event and trust you will take away new things from all the content shared on the Azure Spring Clean website.

If you have any questions or comments about my post, always feel free to contact me through my Twitter handle, @wmatthyssen and make sure to follow the #AzureSpringClean hashtag to get your Azure environment cleaned up throughout the whole month of February.

Happy cleaning and TAGging!


1 comment on “Azure Spring Clean: How to use resource tags to organize your Azure resources

  1. Pingback: Azure Arc: Using tags with Azure Arc-enabled servers – Wim Matthyssen

Comments are closed.

%d bloggers like this: