Microsoft Azure Tags
Andrew Posted on 5:25 pm

Azure Tags – Tagging Best Practices

Today, we will talk about why we should use tags in Azure, and start expanding on the idea and see what tagging can do to improve our subscriptions. We look at using tags with cost monitoring, app owner improvements, security, and data classification — all through Azure Tags. Let’s jump right in and get up to speed on the great things we can accomplish with tagging!

Topics that we’ll cover here:
+ Cost Management and Monitoring with tags
+ Improving the App Owner’s experience with tags
+ Security considerations for using tags
+ Tagging and data classification
+ Azure Policy and tags

Tags are really to be used as part of good resource management and governance. We can use policies to drive tag compliance and report on that compliance; we can also drive actions based on values of tags such as automations like vulnerability scanning, power schedules, cost management reporting, and compliance monitoring. In this article I summarize 5 different pieces of a best-practices strategy for using tags in your Azure subscription.

Cost Management and Monitoring with Tags

Like all business operations we need to keep track of costs and expenses, and make sure that we are building systems with this as part of our overall design. To that end, cost tracking with tags is pretty easy in Azure now. Let’s say you’ve setup some tags and key values as follows:

TagKey Value
OperationsTeamBob Jones, Matt Fields, Sally Sox

The tag and value we are really interested in from this system is the ‘CostCenter’ tag and that key value which is usually an internal cost center or account number that can be mapped back for purposes of billing resource costs to that account, project, or department.

If you wanted to see what resources are in your subscription with a particular cost center tag value, you could use this:

(Get-AzResource -Tag @{ "CostCenter"="0012345"}).Name

The above code when run in Azure Cloud Shell will return for you all resources that have that tag and key value present.

You can use these tags to group your billing data. As an example, if you’re running multiple VMs for different organizations, use the tags to group usage by cost center. You can also use tags to categorize costs by runtime environment, such as the billing usage for VMs running in the production or other environments.

You can retrieve billing information about tags by downloading the usage file, a comma-separated values (CSV) file available from the Azure portal. For more information, see Download or view your Azure billing invoice and daily usage data. When downloading the usage file from the Azure Account Center, select Version 2.
For services that support tags with billing, the tags appear in the Tags column.

Improving the App Owner’s experience with tags

An area where many organizations struggle to keep in good standing is App Owner experience. When I say ‘experience’, I’m really talking about governance and support. This is an important area to have a scheduled review of your tagging and key value updates; people and systems change over time, and so do the needs of the system as it grows or shrinks. We need to think a bit about the System Development Life Cycle here, but also the fact that people may change roles or leave the organization over time.

Using tags such as:

  • Environment:Prod/Dev/Test
  • BusinessCritical:high/low/med
  • AppOwner:YourNameHere
  • OperationsTeam:Bob Jones/Jane Doe/Pat Patterson;

We can really see the importance of a system, where it is intended to operate such as Production, Development, or Testing and how critical the resource is which let’s us understand uptime, RPO, RTO, and general importance of that system. We should also have tags that tell us who is in charge of that application or system, and who to contact for operational issues such as scheduling updates, possible outage impacts, or other system changes impacting operations.

It is important that we review and update these tag values occasionally. I have this habit of scheduling this type of activity as a recurring support ticket to ensure that the maintenance of these gets done even if I’m not part of it. The best part of this is that it also reminds the organization that a review is due to be completed.

The first time you go through this exercise it is definitely an exercise – like climbing up a steep hill. The second time you do this it gets easier, and by the third time you go through and do this, you’ll likely have a good idea of what needs to be updated already and it will be much less work as you move forwards. The hardest part is getting started.

Security considerations for using Tags

Consider using tags to help identify systems that store, process, and present financial or highly confidential information in your own organization. Using tags to mark systems that process highly confidential data, or require specific security audit requirements such as for medical data processing, can help to automate other audit processes. This can also be helpful for systems that need a specific patching sequence or use other automation systems that can check a tag value before making changes on that resource. An example of this is a patching automation system that applies application patches or operating system patches that are high security risk to sensitive systems in a faster patching cycle compared to some other systems. This method can also be used to note what roles have access to a highly secured resource to ensure access and data compliance.

Tagging and Data Classification

Utilize tagging to help identify data types that the tagged resource handles. A real-world use case is an application that processes job applicants. Let’s consider the types of data that may pass-through that system. If it is a large-scale tiered application we would have a front-end application such as a web server, a middle tier like a processing server that handles validation and sorting, and a data tier that has a database to handle storing our data. In this example we would apply a tag such as: “Data Classification:Personally Identifiable” to each Azure resources that touches information that may be personally identifiable. This can really help us make sure that we design and maintain those systems with proper consideration for the data involved.

Another use that I’ve seen in organizations is tagging data classifications to help with the type of auditing needed on those resources. This helps to ensure organization compliance for certifications that require frequent audits and strict controls on certain types of information.

TagKey Value
Data ClassificationNon-Business
Personally Identifiable
Highly Confidential

Azure Policy and Tags

Using an Azure Policy, you can avoid the scenario of resources being deployed to your subscription that don’t have the expected tags for your organization. Instead of manually applying tags or searching for resources that aren’t compliant, you create a policy that automatically applies the needed tags during deployment. Tags can be applied to existing resources via policy and to new resources as they are created. This is the most efficient way to ensure good governance of tagging in your subscription, and is easy to customize. There are some limitations to what policies can apply tags onto, so be sure to read up and know what to expect. I use my Azure Dev/Test Labs subscription to test exactly this type of thing before moving it into production. To learn more about tagging with Azure Policy check out this Microsoft Docs reference.

I hope that this will get you excited at the possibilities in your own subscriptions using Azure Tags. One of the things that I put in place often is tagging and cost management, so if you’re not using tags to drive cost analysis and budgets; please take a look at this so that you gain better insights to your cloud spend. Until next time!