Tags provide a fairly simple way to label resources in a way that makes sense to your organization, such as to a specific engineering team. It enables you to assign categories to your resources so you can easily group, monitor, track, and filter them in any environment.
So, how do tags and tagging work in Azure?
This bookmarkable guide on Azure tagging includes:
Table Of Contents
What Are Tags In Azure?
In Microsoft Azure, tags are metadata that consists of a key-value pair to describe a particular resource in your environment.
In particular, tagging in Azure enables you to label your resources in a logical manner, including individual resources, resource groups, and subscriptions. This helps you identify your resources wherever they are based on certain criteria you decide on as an organization.
You can then keep track of what resources you have available and where those resources are located, You can do that by organizing the resources based on criteria such as who created them, what their purpose is, and any other criteria.
This way, you can quickly query, filter, retrieve, and analyze your Azure resources’ data for management.
Microsoft Azure lets you assign tags to your resources through Azure Portal, Azure PowerShell, Azure Resource Manager JSON templates, and Azure CLI.
Here’s the kicker. You’ll need to tag a lot of your resources to get granular data on them. Yet, that tends to make tagging an endless job. So, is it worth it? Well, here are some major benefits of tagging resources in Azure.
Why Would You Use Tags In Azure?
Tags enable you to organize your Azure cloud resources to support governance, cloud financial management, and operational control.
Here are more examples of benefits and use cases of using a well-defined naming and tagging system in Azure:
- Manage resources – Quickly locate resources associated with particular teams, workloads, costs, usage metrics, environments, and other relevant information.
- Control access – Be able to assign roles, track user activities, and set access permissions to support accountability and efficiency in resource management.
- Manage and optimize costs in Azure – Accurately associate resource usage and related costs with the specific people, products, and processes that consume them. Cost-related tags in Azure support data such as:
- Resource usage and associated costs
- Recurring spend
- Budget changes
- Cloud accounting models
- ROI calculations
- Post-implementation optimizations
- Cost-optimization recommendations
- Streamline operations in Azure – Get visibility into specific resources to support sorting, analysis, and bulk actions that are mission-critical.
- Manage Azure security – Identify areas that are affected by security issues so you can troubleshoot and fix them more quickly.
- Practice governance and compliance management – Consistent resource tagging helps identify deviations from policies, allowing you to fix anomalies before they become a regulatory nightmare.
- Support auditable automations – To automate a system, you need consistent naming and attribution conventions for related resources. For instance, you can use automation to detect, report, and remediate a non-compliant resource, such as an unencrypted storage bucket, or an over-provisioned virtual machine, ensuring these resources are compliant with your organization’s policies.
- Optimize workloads – Identify patterns that relate to specific workloads and fix specific problems in them. This way you can conduct deep analyses of your mission-critical workloads and make sound architectural decisions.
What Are The Challenges With Tagging In Azure?
Tagging can be time-consuming, add complexity to Azure management, and become a never-ending battle to help stakeholders understand how your resources are organized.
But there’s more. Tags have some limitations in Azure, including:
The tag feature is not applicable to all resource types
You can check whether a resource type supports tags by visiting Tag support for Azure resources.
The maximum number of tag name-value pairs for a resource, resource group, and subscription is 50
You’d have to use a JSON string for the value if you wish to apply more tags. This JSON string can accommodate most of the values you apply to one tag name. Each subscription or resource group can have many resources with 50 tag name-value pairs each.
A tag’s name can have up to 512 characters and 256 characters for the value
Storage accounts have a 128-character tag name limit and a 256-character tag value limit.
Azure tags do not apply to classic resources
This includes Cloud Services.
IP Groups and Firewall Policies in Azure do not support PATCH operations
So operations based on the PATCH API method cannot update tags via the portal. You’d have to use update commands for these resources, such as the az network ip-group command to update an IP group’s tags.
Tag names cannot contain certain characters
- Tag names cannot contain <, >, %, &, , ?, /
- Using spaces or starting a tag with a number is not allowed in Azure Domain Name System (DNS) zones. And neither do Azure DNS tag names support Unicode and special characters. However, the value can use any character.
- Traffic Manager doesn’t allow spaces, hashtags (#), or colons (:) in a tag name — nor can a number be the first character.
- Azure Front Door won’t allow a hashtag (#) or a colon (:) in a tag name.
You are limited to 15 tags on the following Azure resources
- Azure Content Delivery Network (CDN)
- Azure Automation
- Azure Log Analytics Saved Search
- Azure DNS (Zone and A records)
These limitations are specific to the Azure cloud. In general, tags, tagging, and tags management presents additional challenges, including:
Manually tagging resources is tedious and error-prone
You have to ensure all your tags are consistent. For example, while keys are case-insensitive, values are. This requires keeping everyone on your operations teams aware of your naming and metadata value conventions to prevent applying different tags to the same Azure resources.
Using Azure Policy, you can tag resources or block their creation if they lack the necessary tags.
The feature enforces rules and conventions for tagging in Azure. For example, a policy can prevent deploying resources to your subscription if they don’t comply with your organization’s expected tags.
Another policy can automatically add the tags you need when deploying resources. This means you don’t have to manually add or search for non-compliant tags in your Azure environments.
In addition, Azure lets you tag an existing resource with a remediation task and Modify effect.
Developing a comprehensive Azure tagging strategy involves input from multiple stakeholders
This can be tricky and a lot of work to coordinate. It’s something many organizations haven’t done yet or find increasingly tough to do as their cloud workloads increase rapidly.
Insufficient governance, enforcement, and consistency
As circumstances change, including team members, cloud services, and leadership, any existing tagging conventions will inevitably become obsolete if not actively maintained.
As part of this maintenance, it is essential that a specific individual, team, or role applies Azure tagging best practices continuously to maintain the integrity of the tagging system. How?
15 Azure Tagging Best Practices to Apply Right Away
If you follow these simple guidelines when tagging Azure resources, you can create a robust system for identifying them. And this can facilitate better governance, security, and cost management for your organization.
1. Decide on a common or several naming and tagging conventions and stick to them
Identify the most relevant, simple, and effective way to tag resources with representatives from different areas of your organization. The tags should reflect their daily routines, workflows, and culture. This approach leads to buy-in and the commitment you need to maintain these standards in the future.
2. Tag from the get-go
You can apply tags to existing Azure resources. But you’ll be better off applying them right when you create the resource. This best practice ensures you can start tracking performance, cost, security, and other insights right from the beginning, ensuring you don’t miss anything.
3. Start small and grow as you go
It can be challenging to design for simplicity, especially if you have a lot of resources to monitor or want more detailed metadata. Yet, if you want to prevent overwhelm and make learning easier for your team, start with the tags that are absolutely necessary. You can add more tags as the need arises.
4. Simple does it
A single key-value pair is easier to manage than multi-value tags.
5. Set up rules for Azure tagging and enforce them
Your Azure tagging strategy should be consistent throughout, from abbreviations to spelling. By establishing this governance structure, you ensure that everyone knows what tags to use, when, where, and how to query them without causing confusion or compromising analytics.
6. Use Azure-recommended tagging conventions
This is straightforward. By following standard Azure tagging and naming conventions, you can prevent a variety of issues, such as being unable to collect or locate tagged resources. Remember, monitoring reports that contain errors or misleading information can be more detrimental than having no reports at all.
7. Use multiple built-in policies and apply them as a single initiative.
The advantage of this approach is that you can apply many built-in Azure policies. These built-in policies enable you to require a particular tag or a specified tag with a value. You can add multiple instances of the built-in policy under an initiative. You can then deploy that initiative to your management group, resource group, or subscription.
With this approach, you may need to apply several policies to have a full-fledged tagging strategy, but you’ll be using built-in policies to enforce tagging on Azure.
8. Automate tagging according to your organization’s conventions with Azure Policy
Here are a few examples of tag policies you can create and deploy:
- Add a tag to Azure resource groups — Adds the desired tag and value every time you create or update a resource group that’s missing the tag.
- Add a tag to Azure resources — Applies the selected tag and value whenever resources without this tag are created or updated.
- Apply or replace a tag on Azure resource groups — Creates or overwrites the specified tag and value whenever your resource group is updated or created.
- Inherit a tag from the resource group if missing — Fills in the specified tag with the value of the parent resource group when creating or updating a resource without this tag.
Azure policies simplify tags management in the Azure cloud, so your teams don’t have to spend a lot of time manually searching, tracking, and organizing tags — or dealing with conflicting and outdated tags.
9. Test your tagging policies and conventions
Prior to running specific tags in production, verify that they work as intended. By testing, you can also see exactly what level of granularity you can expect in the future. You can add more tags to subcategorize related resources if you want to refine your classification even further.
10. Align technical (functional and operational) tags with engineering requirements
Consider tagging your Azure resources according to your engineers’ language, such as the name of the workload, environment, application, or service. For example, you can use the key Team A with the value production. This simplifies tagging, ensuring your technical teams understand exactly what a resource is for without needing to figure out a fancy new convention.
11. Align Azure cost allocation tags with business units and accounting conventions
Also, you’ll want to ensure that your Finance and Operations, or FinOps teams, speak the same language. Hence, tag usage and associated costs with dimensions such as cost center, team, product, service, etc. These tags reflect business interests.
By mapping an Azure asset’s business value to its operational costs, you can more easily tell if you are making the most of the resource, for example.
12. Add more tags to your Azure cost reports if you need to
You can apply extra tags using any of the existing tag names and values in your Azure usage report. This is particularly useful when you want to generate a report that summarizes the costs multiple tags incur in a subscription. This means you can make corrections wherever and whenever you need to support more accurate cost allocation.
13. Audit your tags regularly
Establish a cycle where a team comprising different stakeholders, such as finance and engineering, audits the tags. In addition to making sure tags and values are up-to-date, you should analyze if they serve their intended purpose or if they need to be modified.
14. Govern your Azure Resource Groups
Keep the following in mind about resources and resource groups in Azure:
- All group resources must follow the same lifecycle. For instance, when several resources must be updated together for a specific application, the resources should be in the same resource group. In contrast, for dev/test, staging, or production, you’ll want to use different resource groups due to the different lifecycles of the resources in each group.
- You can add or remove resources from a Resource Group. The key is, each resource needs to be part of an Azure Resource Group, so removing it from one Group must be followed by adding it to another.
- Consider locating all resources in a resource group in the same region to reduce latency
- Control access to resources with resource groups.
- Deleting an Azure resource group deletes all its resources.
- Each resource group can deploy up to 800 instances of a specific resource type.
Azure Resource Groups provide a quicker way to group together related Azure resources, so you can manage them as a single unit. Resource Groups help you to quickly identify and manage all the resources associated with a particular project, application, or service. They also help you to control access to the resources in the group and apply policies to them.
15. Establish a policy for handling untagged resources
Azure tags are not applicable to all resources. The problem with untagged resources is that they are a blind spot, for a variety of reasons such as security, cost, or performance concerns. So, define a policy to guide your people through what to do about untagged resources. How?
When life gives you untagged resources, you can’t just tag ’em up and move on!
Besides, there are also untaggable and shared resources in multi-tenant environments to take care of. This data can be harder to collect, leaving you with a major blindspot in your Azure cloud management.
If you’re feeling overwhelmed, in the dark, and your current cost tool just ain’t cutting it, CloudZero can help — even if you have imperfect tags.
What To Do If Your Tagging Is A Mess
CloudZero helps you capture data about tagged, untagged, untaggable, and shared resources with a unique, code-driven approach — all without endless tagging.
By combining metadata about resource usage with context from your infrastructure and applications, CloudZero delivers cloud cost intelligence.
Better yet, CloudZero organizes and breaks down that data into immediately actionable intelligence, and by role; engineering, finance, and FinOps.
Each stakeholder can view their costs and usage in their own language, cultivating a cost-aware culture:
- Engineers can view costs based on technical concepts such as cost per feature, per product, per environment, per deployment, per project, per dev team, and more — down to the hour. Your engineers can also see how a change to code impacts costs almost immediately, so they can develop competitive, cost-effective solutions.
- Finance and FinOps can view cost data in accounting and budgeting dimensions, such as cost per customer, per project, per team, per hour/day/week/month, etc. This level of cost insight can help you decide how much to charge a customer at renewal to protect your margins. Or, you can determine how much discount to offer without eroding your profit.
Plus, the data is available for CFO, CTO, and board meetings in a visual, easy-to-digest format, including COGS and gross margin data. The leadership can then answer questions such as:
- How will our costs change if we onboarded 10 new customers tomorrow?
- What customer segment is the most profitable so we can target our marketing strategy to attract more of them?
No need to take our word for it.
Remitly uses CloudZero to allocate 50% more costs without tagging. ResponseTap used CloudZero to identify unallocated resources and saved 18% in annual cloud spend. Beamble now turns multi-tenant infrastructure costs into per-customer metrics. CloudZero saved Drift $2.4 million in annual spend. Take advantage of CloudZero’s proven results. — it’s free.