Azure has many controls out of the box that helps tailor the experience to an organization on Azure. Such controls include Azure Management Groups for organizing subscriptions, Azure AD with Role-Based Access Control (RBAC) to manage access to Azure resources, Subscriptions and Resource Groups for organizing resources, and Azure Policy to enforce compliance and augment security on Azure. Beyond these controls though, there may be a need to help organize and manage resources on Azure that don’t fit into any of these more prescriptive models as one begins to plan and implement a governance and security strategy on Azure. This is where tagging comes into play. Because tags are more arbitrary, the tags can be applied across subscriptions, resource groups, and resources according to the patterns that are employed by the users.
There is no one-size-fits-all approach to creating a tagging strategy. Rather, the conversation starts with trying to understand how resources are going to be organized on Azure from a management and security perspective first. Once this is done, tagging can then be applied. It’s best to think about tagging on Azure before getting too far into one’s Azure journey because it is much easier to implement and enforce tagging on Azure before a deployment gets too large. Because tagging is arbitrary though, all sorts of different approaches and uses for tagging can be employed ranging from technically oriented tags that apply to how resources operate to business-oriented tags useful for helping shape business needs.
Here are five broad categories of tags to think about when employing tagging on Azure. Think of these as being signposts on a gradient ranging from technical to business:
Assessing the landscape of one’s organization often will help precipitate the tagging strategy to be employed with Azure.
Beyond the tagging strategy itself, there also comes a need for tagging enforcement as part of compliance. Because tagging is arbitrary, and therefore organizationally specific, which tags and the values for those tags are not something that Azure provides or enforces. However, it is possible with Azure Policy to enforce a tagging strategy.
Here are three ways to approach this:
{ "mode": "Indexed", "policyRule": { "if": { "allOf": [ { "field": "tags[environment]", "exists": "false" }, { "field": "tags[unit]", "exists": "false" }, { "field": "tags[shutdown]", "exists": "false" } ] }, "then": { "effect": "append", "details": [ { "field": "tags[environment]", "value": "dev" }, { "field": "tags[unit]", "value": "it" }, { "field": "tags[shutdown]", "value": "never" } ] } } }
Additionally, a similar policy can enforce specific values for tags on a resource. The following policy ensures that tag values fall into a predefined set of values, and denies a resource creation if the tags are not in the range.
{ "mode": "Indexed", "policyRule": { "if": { "anyOf": [ { "field": "tags[unit]", "notIn": ["it","acct","hr","man"] }, { "field": "tags[environment]", "notIn": ["dev","test","uat","prod"] } ] }, "then": { "effect": "deny" } } }
The bottom line with policy enforced tagging is that there is more than one way to accomplish the strategy.
Creating a tagging strategy is a fundamental part of a comprehensive governance and security practice on Azure. It, therefore, requires thought and planning from the IT organization to both plan and implement. Adopting a strategy to set up and enforce tagging though can have profound implications on how well your organization uses and manages Azure for all things compute.
To learn more about Azure Tagging, join me for my upcoming live webinar on January 14th, 2021:
Microsoft Azure and Amazon Web Services (AWS) are two of the most popular cloud platforms.…
Cloud management is difficult to do manually, especially if you work with multiple cloud…
Azure’s scalable infrastructure is often cited as one of the primary reasons why it's the…
https://www.youtube.com/watch?v=wDzCN0d8SeA Watch our "Unlocking the Power of AI in your Software Development Life Cycle (SDLC)"…
FinOps is a strategic approach to managing cloud costs. It combines financial management best practices…
Using Kubernetes with Azure combines the power of Kubernetes container orchestration and the cloud capabilities…