Azure Governance for the Modern Enterprise

Learn How to Use Azure Tagging to Analyze Costs & Support Chargebacks

Written by Phil DeVeau | Jan 18, 2021 4:40:29 AM

Gain a Better Understanding of Azure Spending 

Azure costs are fairly predictable in many circumstances.  A virtual machine has a per hour of compute, a burstable SKU has a much more involved cost model that is less predictable.  Picking the right tool for the right job and all that notwithstanding, your Azure bill is likely being covered by multiple cost centers.  An effective tagging strategy can help highlight resource costs to enable burning down a bill across cost centers. 

Tagging Strategies 

Tags in Azure are stored as key value pairs.  Some common examples include env : dev, env : prod, env : uat.  Immediately we can see that we now know a resource belongs to dev, prod, or uat.  We can manage this with subscriptions as well, a dev, a prod, a uat subscription for instance, but as a program, effective tagging can give us insight at many other levels across subscriptions.  If we add in another set of tags, cost-code : fictional-cost-code we can see patterns to derive billing start to emerge.  A quick charting exercise allows us to not only understand our cost per environment, but our cost for each cost center.

Automated Tag Strategies 

What about self-service creation of Azure resource though?  We can’t count on teams to add the right tags when they create resources though.  They might miss-spell the tag or add the wrong tag.  A team member might be on multiple teams and not be certain how to bill the resource internally.  They might be in a rush and forget.  Using policies assigned to subscriptions we can deploy tags if they don’t already exist.  Given a scenario of segregated subscriptions we can assign a policy to each one that, when a resource is deployed it will add the environment tag for us.  If we further segregate subscriptions, we can adapt our strategy to deploy tags for our associated cost centers as well.  We can add onto this to audit and remediate tags, so if a cost center tag is missing we can then remediate with inheriting any cost centers from a parent resource, or if the resource is moved the tag is updated automatically to reflect it’s new home in your cost management workspace.  We’ve taken away the headache and, once we have trust in the system, a large chunk of budget audit cost. 

This Sounds Great, but What is the Cost? 

I know, these lofty goals sound expensive to implement and hard to maintain.  Truth be told there is a time investment, building an effective set of policies won’t be completed in a day.  To accomplish our base goals we’ll need to take some simple steps: 

  1. Create a management group. 
  2. Create (or use an existing) a new subscription and assign to the management group. 
  3. Create a new modify effect policy rule and assign it to the management group. 
  4. Create a new add or replace policy that will update tags from parent resource changes. 

Add Tag Policy Example 

"policyRule": { 

    "if": { 

        "field": "[concat('tags[', parameters('tagName'), ']')]", 

        "exists": "false" 

    }, 

    "then": { 

        "effect": "modify", 

        "details": { 

            "roleDefinitionIds": [ 

                "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" 

            ], 

            "operations": [ 

                { 

                    "operation": "add", 

                    "field": "[concat('tags[', parameters('tagName'), ']')]", 

                    "value": "[parameters('tagValue')]" 

                } 

            ] 

        } 

    } 

} 

Add/Replace Policy Example 

"policyRule": { 

    "if": { 

        "anyOf": [{ 

            "field": "tags['Env']", 

            "notEquals": "[resourcegroup().tags['Env']]" 

        }, 

        { 

            "field": "tags['Env']", 

            "exists": false 

        } 

    ] 

    }, 

    "then": { 

        "effect": "modify", 

        "details": { 

            "roleDefinitionIds": [ 

                "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" 

            ], 

            "operations": [{ 

                "operation": "addOrReplace", 

                "field": "tags['Env']", 

                "value": "[resourcegroup().tags['Env']]" 

            }] 

        } 

    } 

} 

Cost Management in Azure can be confusing and distributing costs internally can be a real headache if you don’t know where they belong, this can make traditional budgeting a nightmare. InCycle has worked with many organizations to accelerate adoption of winning cost management governance practices. To learn more about cloud governance, download the Cloud Governance Playbook!