Tag: Governance

Azure Tags

Use Azure Tags to organize Resources

I started with a blog about Locks in Azure, which is one of the basic Azure Governance features provided by Azure Resource Manager. In this second blog, I want to give you a quick overview of how you can use tags to organize your Azure resources. As mentioned before governance in Azure provides you with the necessary tools to take advantage of the speed and agility the cloud promises, without losing control over your environment.

Cloud-Native Governance

Cloud-Native Governance

When you start working with Azure, you realize that you will have suddenly many resources. If you work for a company or team, you will realize that at one point it will be difficult to identify resources, find out who they belong to, or are they still needed, and are the production or development, who is paying for it, and many more questions are coming up.

With Tags in Azure, you can start tagging your Azure resources to logically organize them into a taxonomy.  A tag consists of a name and a value pair. For example, you can apply the name “Environment” or “Department and the value “Production” or “Finance” to resources.

Tags are name/value pairs that enable you to categorize resources and view consolidated billing by applying the same tag to multiple resources and resource groups. Tag names are case-insensitive and tag values are case-sensitive.

You can apply tags to:

  • Azure Resource
  • Resource Groups
  • Subscriptions (New)
Tags to Azure Subscription

Tags to Azure Subscription

Adding tags to your resource will help you when you need to organize resources for billing or management. Also, Azure Management tools like Update Management can make use of tags. For example, you can create dynamic groups of your virtual machines for different update schedules using tags.

Cost Management with Azure Tags

Cost Management with Azure Tags

Use Azure Policy to manage Tags

You can also use Azure Policy to apply tags to resources or block resources from being created if they do not have the necessary tags.

You can use Azure Policy to enforce tagging rules and conventions. By creating a policy, you avoid the scenario of resources being deployed to your subscription that don’t comply with the expected tags for your organization. Instead of manually applying tags or searching for resources that aren’t compliant, you can create a policy that automatically applies the needed tags during deployment. Tags can also now be applied to existing resources with the new Modify effect and a remediation task.

Limitations for Azure Tags

Tags come with certain limitations:

  • Not all resource types support tags. To determine if you can apply a tag to a resource type, see Tag support for Azure resources.
  • Each resource or resource group can have a maximum of 50 tag name/value pairs. If you need to apply more tags than the maximum allowed number, use a JSON string for the tag value. The JSON string can contain many values that are applied to a single tag name. A resource group can contain many resources that each have 50 tag name/value pairs.
  • The tag name is limited to 512 characters, and the tag value is limited to 256 characters. For storage accounts, the tag name is limited to 128 characters, and the tag value is limited to 256 characters.
  • Generalized VMs don’t support tags.
  • Tags applied to the resource group are not inherited by the resources in that resource group.
  • Tags can’t be applied to classic resources such as Cloud Services.
  • Tag names can’t contain these characters: <>%&\?/

You can find more information about limitations for tags, you can find them on Microsoft Docs.

Assign Tags

As mentioned before, you can use Azure Policy to manage tags on your resources, but you can also assign tags using the Azure Portal, Azure Resource Manager (ARM) templates, Azure PowerShell or the Azure CLI. Here are some short examples:

Azure PowerShell

Add tags to a resource group without existing tags:

Set-AzResourceGroup -Name myrg -Tag @{ "Department"="Finance"; "Environment"="Test" }

Add tags to a resource group that has existing tags, retrieve the existing tags, add the new tag, and reapply the tags:

$tags = (Get-AzResourceGroup -Name myrg).Tags
$tags.Add("Status", "Approved")
Set-AzResourceGroup -Tag $tags -Name myrg

Azure CLI

Overwrite the existing tags on a resource group:

az group update -n myrg --tags 'Environment=Test' 'Department=IT'

If you want to have more examples, check out the Microsoft Docs.

I hope this gives you a good overview of Azure Tags, and how they can be useful. If you want to learn more, check out the Microsoft Docs.

Azure Locks - Governance

Prevent Azure Resources from unexpected deletion using Locks

In this blog post, we will have a quick look at the basics of Azure Governance and how you can use Locks in Azure to govern your environment and protect resources from accidental deletion or changes. Cloud Computing is excellent, and you can deploy and delete services in seconds and go full speed. However, with that, there are also many challenges that are coming your way. Think about control over cost, security, or compliance. You don’t want everyone to be able to deploy a large Mv2-series virtual machine to test their application, and you might also not want people deploying services all over the world using one of the 55 Azure regions worldwide. The way to prevent things like this is called technical governance. However, it can be implemented in different ways.

Technical Governance

Technical Governance

The traditional approach was that you set a team or a person in front of the cloud, which can be called a cloud custodian or cloud broker team. And this team then decided on which services are going to get deployed and how. Now with that approach, people and processes become the limiting factor if you look at speed and agility.

Traditional approach

Traditional approach

To take advantage of speed and agility of the cloud, you want to give developers, operations people, or even teams and divisions in your company, but stay in control of the cloud environment. With Azure, we provide you with exactly these management tools, to make sure that you can keep control, but also keep the speed and agility the cloud promises.

Cloud-Native Governance

Cloud-Native Governance

Azure Resource Manager offers a couple of different tools for Azure Governance like Management Groups, Azure Policies, Azure Blueprints, Cost Management, and many more. In this quick blog, we will have a look at one of the basics called Azure Locks, which are part of the foundation. If you need to get started with Azure and especially Azure Governance, I created a blog post with some useful links.

Lock resources to prevent unexpected changes and deletion of Azure resources

We all have been there, we wanted to clean up some resources quickly or quickly run a script which changes a couple of settings, and we realized we just made a huge mistake. That is why it is great to have some locks in place to prevent unexpected changes and deletion to happen. With locks in Azure, you can lock a subscription, resource group, or resource to prevent other users in your organization from accidentally deleting or modifying critical resources.

Lock Types

You can set the lock level to CanNotDelete or ReadOnly. In the portal, the locks are called Delete and Read-only, respectively.

  • CanNotDelete means authorized users can still read and modify a resource, but they can’t delete the resource.
  • ReadOnly means authorized users can read a resource, but they can’t delete or update the resource. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role.

You can find more information about the lock types here.

Permissions to create or delete locks

You will need to have access to Microsoft.Authorization/* or Microsoft.Authorization/locks/* to create or delete locks. By default, only the build-in roles Owner and User Access Administrator have these permissions.

Locks apply restrictions across all users and roles and are be applied to different scopes. These scopes are subscription, resource groups, or resources, and all resources within that scope inherit the same lock. If you have multiple locks in place, the most restrictive lock in the inheritance is applied. If you want to know more about permissions to set locks, you can find more information here.

How to lock a resource group

As an example of how locks can work, I wanted to show you how you can lock a resource group. You can create and assign locks using different methods and tools like the Azure Portal, Azure CLI, Azure PowerShell, Azure Resource Manager templates, or the REST API.

In the portal open up your resource group, in the settings blade, you click on Locks.

Azure Locks

Azure Locks

After that, you can click on Add and configure the lock.

Add a lock to an Azure Resource Group

Add a lock to an Azure Resource Group

Now, if someone tries to delete this resource group, he will get the following error.

Azure Resource Group is locked and can't be deleted

Azure Resource Group is locked and can’t be deleted

You can also set the lock using PowerShell:

New-AzResourceLock -LockName LockMyVNET -LockLevel CanNotDelete -ResourceGroupName azure-rg

Or the Azure CLI:

az lock create --name LockMyVNET --lock-type CanNotDelete --resource-group azure-rg

If you want to learn more about Azure Governance and especially Azure Locks, check out the following link to Microsoft Docs:

I hope this gives you an understanding of locks in Azure if you have any questions, feel free to leave a comment.