Azure Tags – Tagging Strategy
In the previous article I talked about why we should use tags in Azure and what those tags can help us do. This article expands on the goals set and the basic foundation built. Today we build our tagging strategy and the list of tags and values that we’ll use in our subscription to address some primary concerns such as governance, compliance, security, and data classification.
Check out the first article here to learn about why we should be using tags in Azure, and to understand the goals that we’ve set for our tagging strategy.
Let’s take a look at Microsoft’s own recommendation for building a tagging approach:
Above, we can see that we can use a simple or complex strategy and we can put the emphasises on what matters to our own business. This is important because we know that we now have the flexibility to use the metadata of tags to help move our business goals into reality.
In the previous article, we laid out what our goals are, but here’s a recap:
- In our case, we want to use tags to identify the team responsible for a resource, who the owner is, and where the costs for a resource should be billed back to. We’ll add a couple other tags as we develop our strategy here, but this is our basic short-term goal.
- Governance and compliance will be another driver for our tagging. We need to maintain consistency and tagging will help us to identify anything not being created using defined tags. After implementing our tagging strategy, we’ll be able to to evaluate if resources are being created according to policy and confirm if governance policies are being followed. This is our long-term goal.
- Security will benefit from having resources tagged correctly so that systems can be associated and identified more easily. The tagging strategy should include some usability improvements such as: Azure Sentinel playbooks will be able to provide resource tags in alerting messages to speed identification of impacted resources from an event. This will be our goal for security improvement and system efficiencies.
- Data classification will also be included in our tagging strategy so that we can more easily identify the sensitivity of data hosted by the tagged resource. This will be our lofty goal of data classification.
So, we have 4 main goals that we want to meet. Let’s see if we can build out our tags to meet this goals. Below, I’ve written a chart of tags and values that should help us to meet our goals:
| Tag Name | Description | Values |
| ApproverName | Person responsible for approving costs related to this resource | Approver [email protected] |
| OpsTeam | Team accountable for operations | CloudOps Vendor MSP-Name AppTeamA |
| Owner | The person who owns the app, workload, or service | Owner [email protected] |
| CostCenter | Account cost center | CostCenter 12345 |
| AppName | Added for clarity if the service is comprised of multiple applications or resources | AppName ApplicationNameHere |
| BusinessCriticality | Business impact of this resource or supported workloads | Criticality Low Medium High BusinessCritical |
| DataClassification | Sensitivity of the data hosted by this resource | DataClassification Non-Business Public General Confidential HighlyConfidential |
| DisasterRecovery | Business impact of this resource or supported workloads | DR High BusinessCritical |
Winning Strategy Tips
Start small – use the least amount of tags and values that you can to meet your goals. It’s hard to design for less complexity, but that is the sweet spot!
Constrain Tag Values – use Azure Policy and other means such as PowerShell in Azure Runbooks to enforce tag values. When tags are entered manually, there is an opportunity for error. If the tags are set by automation, the code can be reviewed, tested, and even enhanced over time to ensure that the defined tag values are used.
Adopt a Standardized Naming approach – you may remember from the first article that I mentioned that Azure Tags have case requirements. In Azure, tags are not case sensitive for tag names, but the tag values ARE case sensitive. This is very important.
TagName=tagvalue
Tagname=tagvalue
tagname=TagValue
There are only 2 different tag values above, it’s a simple thing but I often see this challenge arise in subscriptions where governance lags behind manual resource tagging. Human error will manifest here every time!
Use Automation – automation tools such as Azure Policy, Runbooks, even ServiceNow integration can greatly improve consistency in Azure tags. This can also prevent resources from being incorrectly tagged so that automation tools such as ServiceNow or Azure Sentinel Playbooks have greater accuracy down the road.
Regularly Audit your Tags – develop a cycle in which different resources from IT audit the tags, validate the tag values, and engage resource owners to keep all the tag information up to date. This is key for long-term success.
Have a policy in place to address untagged resources – as much as automation and governance actions will help improve your tags; you will still need to address the occasional untagged resource. Have a policy in place so that your IT Team knows how to address this and get it resolved. Remember to include code enhancements for automation tools in use.
Lock Down Tags used for Access Control – something I did not address in this article, but can be used with great success is tags to govern access control. Ensure these are addressed by restricting access to creating, deleting, and modifying those tags.
Whew! Now that we’ve made our list of tags and really looked deeply at what tags we will use to meet our goals; and additional tips on building your own tagging strategy we only have one more part left to discuss next time…best practices.
Join me in the next and final article in this mini-series on Azure Tags as we wrap up our ‘soup to nuts’ discussion on tagging strategies that work.
Sources:
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/decision-guides/resource-tagging/