Azure Azure Governance

Azure Spring Clean: How to use Resource Tags to organize your Azure resources


Azure Spring Clean, organized by Joe Carlyle and Thomas Thornton, is a great community initiative to promote well managed Azure tenants.

Throughout the month of February, a total of 20 blog posts, all about Azure Management topics and best practices, will be shared by community people from all over the world. This is truly what community is all about, sharing knowledge and helping people learn new things and improving their skill set.

You can check out all other blog posts at https://www.azurespringclean.com. You can also keep an eye on Twitter for the hashtag #AzureSpringClean to know all about it.

For my contribution, I will take a look at Azure resource tags, which can help you organize and better manage all your Azure Resources.



What are resource tags?

Resource tags provide you with a way to apply additional metadata on your cloud resources to include information that could (or should) not be included in the resource name. They can also help you to remain in control of your cloud environment and assist you in logically organizing all your resources with properties that you define.

They can be applied to resource groups or resources directly and should be an essential part of your Azure Governance Foundation.

A lot of Azure services, like Azure Cost Management, Azure Policy and Azure Automation can be used to control, or use tags to apply actions on specific resources.

In this way, tags become a crucial part of your Azure Governance strategy and they should be tightly aligned with your naming standards (conventions). Tags are a core element to start your Azure cloud journey with a good Azure Foundation.

You should always plan the management and naming of your tags carefully, before using them in your Azure environment(s). Always identify all the commonly used tags upfront and apply them consistently when deploying any new Azure resources.

Next to resource tags, there are also other types of tags used by some other Azure Services and resources. Like for example service tags, which you use to define network access controls on network security groups or on Azure Firewall. These types of tags will not be a part of this blog post.


Different ways to use resource tags

Tags become very helpful when you need to track resources for billing. For example, they can help you to define which department is responsible to pay for (a) specific Azure resource(s) at the end of the month.

Another way you can use resource tags, is when your running different workloads in separated environments (Hub, Production, Quality Assurance and Development) in the same Azure Subscription. Here, tags can help you to quickly organize and manage all the resources between those different environments.

They are also a good way to manage resources related to a specific project. By adding a specific tag to identify the project, you can easily delete all related resources when the project is finished and is no longer needed. Here tags can help you to identify unused resources and in the end help you to reduce your Cloud Sp€nd.

Besides that, you can use tags in your day to day operations, like setting your backup retention period or maintenance window(s) on a resource for being used with Azure Backup or Azure Update Management.

Furthermore, they can be used to automatically apply bulk actions to specific resources (automation), like e.g. starting and shutting down virtual machines (VMs) of a distributed workload in sequence (Start/Stop VMs during off-hours solution).


Common resource tag examples

A resource tag always consists of a name and a value (name/value pair). Always define a good tagging convention before deploying them to any resource.

For administration purposes, and as a guideline, it is best is to record and describe all used (required and optional) tags in your Azure Governance Plan.

You can find some common resource tag examples below:

  • env: hub, env: prod, env: acc, env: dev, env: test, env: poc, env: demo
  • resourceOwner: wmatthyssen@demo.be, resourceOwner: gpeeters@demo.be
  • createdBy: wmatthyssen@demo.be, createdBy: gpeeters@demo.be
  • costCenter: it, costCenter: hr, costCenter: marketing
  • dep: it, dep: hr, dep: marketing, dep: finance
  • project: a, project: b, project: c
  • compliance: gdpr, compliance: iso9001
  • tier: web, tier: app01, tier: app02
  • role: dc, role: sql, role: web
  • applicationName: hrapp1, applicationName: hrapp2
  • reviewOn: 01-08-2020, reviewOn: 01-16-2020
  • endDate: 01-08-2020, endDate: 01-09-2020
  • managedBy: itsec, managedBy: itops
  • region: west europe, region: north europe
  • businessCriticality: critical, businessCriticality: high, businessCriticality: medium, businessCriticality: low
  • approver: wmatthyssen@demo.be, approver: gpeeters@demo.be
  • startDate: 01-06-20, startDate: 01_07_20



Characteristics and limitations

Resource tags have some characteristics and limitations you should be aware of before using them. The most important are listed below:

  • There is a maximum of 50 tags that can be associated to a resource or resource group (currently storage accounts only support 15 tags).
  • Tags can span resource groups, allowing you to link resources across disparate deployments.
  • You can only use alphanumeric characters (also not case-sensitive) for your tags, with a limitation of 512 characters for the name, and 256 characters for the value (for storage accounts the name is limited to 128 characters).
  • You should use the built-in contributor role (or the contributor role for a specific resource) when applying tags.
  • There is no inheritance (hierarchical inheritance) when a tag is applied to a resource group. So, you need to tag all resources separately in that resource group.
  • Each applied tag is automatically added to the subscription-wide taxonomy.
  • ASM resources, like VMs, Virtual Networks and Storage Accounts do not support tagging. You can redeploy them through Resource Manager to be able to apply tags on them. A way around this, is to tag the resource group they belong too.


Add, remove and work with resource tags in the Azure Portal

Using resource tags inside the Azure Portal can be a very simple, yet powerful way to add some additional metadata, to categorize and also search for your Azure resources. Below you can find some common tasks you can carry out with tags in the portal.

To add (or to view all existing tags) a resource tag for a specific resource (or resource group). Go to the resource and open the Overview page. Next to Tags you will find all currently existing tags for that specific resource. (in my example, I used a VM named wm-app-02).



To add a new tag to the resource, select (change). Fill in a new Name and Value for your new Tag(like Project: A). Click Save to add the new Tag to your resource.





You can also add new resource tags from the All resources blade. Open All resources from the sidebar. Select a specific resource under Name and click on Assign Tags.



On the Assign tags page, you can select an existing resource tag (Name and Value) or add a completely new resource tag. Click Save to add the resource tag to the resource (in my example the Project: A resource tag is added).




To view all existing Resource Tags (the list will be empty if you have not yet applied any tags), click on the Tags icon under FAVORITES, directly from the sidebar (you can pin it through All services if not already shown).



In the Tags blade you can click on a specific tag (Environment: Demo), to see or work with all the different resources that have that specific tag applied.



Another way to view all existing resource tags (or manage resources using that tag) is, by typing in Tags in the global search box in the middle of your Azure Portal screen. Then click on Tags under Services to open the Tag blade from there. A nice extra feature when you use it from here is that all links to the Microsoft Docs about Tags will also been shown underneath the Documentation section. When you click on one of those links an extra tab in your browser will open with that selected webpage.





Manage Azure Compute resources with tags in the Azure Portal

Resource tags can be very useful while working with your Azure IaaS VMs and all dependent resources.

To list all your IaaS VMs with a specific tag you should open Virtual Machines from the sidebar.



Click on the All tags column, and select the tag(s) for your selection. In my example I will select all Demo VMs.




When selected, all VMs with the resource tag pair Environment: Demo will be shown.



To list all resources with the Environment: Demo resource tag pair. Go to All resources in the sidebar. On the opened All resources blade click on +Add filter.



Under Tags select Environment and under filter items select Demo.



This will list all resources which have the Environment: Demo tag pair.




Managing resource tags with Azure PowerShell

Like you could already read, resource tags can be managed and created from the Azure portal, but this can be inefficient if you have lots of resources in Azure to work with. That is where Azure PowerShell comes in handy and can help you to easily identify and manage all those resources. You can also manage tags using Azure CLI or by using the Resource Manager REST API, but I will keep it to Azure PowerShell in this post.

In the examples, I used Azure Cloud Shell (http://shell.azure.com) to run all the Azure PowerShell cmdlets. You need to change all variables like, ResourceGroupName, ResourceName, Name and Value, were needed.


List all existing resource tags and the number of occurrences from all resource groups within an Azure Subscription:

Get-AzTag




When you configure a resource tag, you store the name/value pair in a hash table format (Hastable).

$tags = @{Name="Value"}
$tags | Get-Member



Get all resource tags added to a specific resource group.

(Get-AzResourceGroup -Name ResourceGroupName).Tags



Get all resource tags added to a specific resource in a resource group.

(Get-AzResource -ResouceGroupName ResourceGroupName -ResourceName ResourceName).Tags



Tag a resource group with a new Project: B resource tag.

$tags = (Get-AzResourceGroup -Name ResourceGroupName).Tags
$tags.Add("Name","Value") 
Set-AzResourceGroup -name ResourceGroupName -Tag $tags



Tag a resource (wm-app-01) in a resource group (wm-demo-vm) with a new Project: C resource tag.

$tags = @{Name="Value"} 
$vm = Get-AzResource -ResourceGroupName ResourceGroupName -Name VMName
Set-AzResource -ResourceId $vm.Id -Tag $tags -Force



List all VMs in an Azure Subscription with a specific resource tag (Environment: Demo).

Get-AzVM | Where-Object {$_.Tags["Name"] -eq "Value"}



Remove all tags from a resource group.

Set-AzResourceGroup -Name ResourceGroupName -Tag @{}



Remove all tags from a specific resource (demo-lb).

$resource = Get-AzResource -Name ResourceName
Set-AzResource -ResourceId $resource.Id -Tag @{} -Force



This is just a short list of some basic Azure PowerShell tagging operations, just to give you a feel for the syntax. If you want to learn more; I would advise you to check out the official Azure PowerShell documentation.


Use resource tags in Azure Cost Management

Like already said above, tagging is a useful tool to identify a project or the department that is responsible to pay for specific Azure resources at the end of the month. By analyzing your tagged Azure resources and usage data in Azure Cost Management you can gain insights in your consumption, which in the end can enable better cost management throughout your company and reduce your overall Cloud Sp€nd.

To check the usage for a specific department (cost analysis) with a tag (CostCenter: IT), select Cost Management + Billing from the sidebar in the Azure Portal.  Next, click on Cost Management to open the Cost Management blade.



Select Cost analysis under Cost Management and click on Add filter.



Select Tag as the filter item, select the Name (CostCenter) and the Value (IT).



You should now see all costs or accumulated costs (depending on your selected VIEW) for that specific CostCenter (selected Tag filter).



Just like when working with Cost analysis, you can also use specific resource tags while working with Budgets in Azure Cost Management.




Manage resource tags with Azure Policy

One of the most used features when it comes to using policies, are tagging rules or tagging policies. By creating such policies, you avoid the scenario of resources being deployed to your Azure Subscription that not use the expected (required) tags included in your company’s Azure Governance implementation.

Instead of manually applying tags or searching for resources that are not compliant, you can easily create a policy that automatically applies mandatory or default tags during deployment. Setting resource tags trough policies allows you to set them from the beginning of a deployment, sparing you the work to remediate them afterwards on existing resources, which can be a lot of work to figure out.

A best practice is to define tag policies at the Subscription level (e.g. subscription policies for required tags). Keep in mind that, currently remediation tasks are not supported on Management Groups.

To create a tag policy, open Policy in the sidebar and select Assignments.



Click on Assign policy and select your Azure Subscription (or a Management Group) as Scope. This brings up the Assign policy blade.



At the end of the Policy definition field click on … to launch the policy definition picker page. Because were making a tag policy, type in tag in the Search column. This will bring up the list of available tag Policy Definitions.



Select Require tag and its value.



Type in a Description and set Policy enforcement to Enabled. Click Next.



Apply a Tag Name (ResourceOwner) and a Tag Value (wmatthyssen). Click Next (x2).



On the Review + create page, validate all parameters and click on Create.



You can check your newly created tag policy under Assignments. Now every create resource will have this tag enforced.



You can find more information about using tags with Azure Policy on the following Microsoft Docs page.


Summary

Azure resource tags provide a way to quickly organize all your Azure resources. That is why, together with a strong naming convention, they should be a core element in your Azure Governance strategy.

That brings me to the end of this post and before closing off, I just wanted to say, I am excited to be part of this online event and trust you will take away new things from all the content shared on the Azure Spring Clean website.

If you have any questions or comments about my post, always feel free to contact me through my Twitter handle @wmatthyssen and make sure to follow the #AzureSpringClean hashtag to get your Azure environment cleaned up throughout the whole month of February.

Happy cleaning and TAGing!


%d bloggers like this: