Enforce Tags On Microsoft Azure Cloud Resources Using Policies

What are tags and why are they important?

Tags are a name and key value combination which are basically metadata that you assign to your cloud resources. If you are working on cloud, then you already know how important tagging really is. Working with an organization and handling multiple customers, it really gets difficult to keep a track of all the resources. Tagging helps in managing, searching and filtering resources.

What’s in this blog?

In this blog, I am going to describe how we can use Policy Assignments in Microsoft Azure to enforce tags for the resources that you provision in Azure. Other than the advantages that I have mentioned in the above paragraph, tagging also helps in generating cost reports. Wonder how? We can assign tags to specific Management Groups in Azure and that helps us to have a consolidated look on the cost allocation.

Step 1.

Login to your Microsoft Azure account at https://portal.azure.com/ and once logged in, search for Policy. Click on the service named Policy as given in the below screenshot.

Step 2.

Azure Policy is a service which allows you to manage, assign and implement policies across all the resources in your infrastructure. It’s important to have guidelines from an IT perspective to achieve governance and compliance. Once you are in the service, checkout for an option named Assignments as I have showed in the below screenshot. Click on Assignments which will open up another blade.

You will also see a similar window like above if it’s a new account and you haven’t configured any policies yet.

Step 3.

Click on Assign Policy and let’s proceed with the policy creation and assignment. You would have received a new window with a lot of options. Starting with the first one, select the Scope of the policy. You can assign a policy to all the resources under a subscription.

Step 4.

Then comes the exclusions. Clicking on the blue box at the right end of the form opens up another blade where you can select a Resource Group from the Subscription, to be excluded from the Policy that you are about to create and assign. This exclusion is not mandatory and it’s completely depends on how you want your infrastructure to be set up. Click on Save once you are done.

Step 5.

On the same window as depicted in image above, comes the Policy Definition, which is mandatory for this to work. Click on the blue box at the end of it which will again open up another blade. Search for ‘tag’ in the search box and select the first definition which says ‘Enforces a required tag and it’s value. Does not apply to resource groups.’

You can also select other definitions depending upon the use case. There are policies which can be used to apply tags to resource groups as well. Select the definition by clicking on it and click on Select button below which closes the blade.

Step 6.

Make sure the Policy Enforcement option is enabled. You can also write a description as per your need. Then move on to the next tab ‘Parameters’ as I have highlighted in image below.

Step 7.

Parameters is the tab where you give the Tag name and value. I am giving a tag name ‘billing_number’ and a sample value of ‘0123’. You can ignore the tab named ‘Remediation’ for now as it’s out of scope topic for this blog. Proceed to click on ‘Review+Create’. That should give you an overview of the entire policy that you just created, which you can review and click on ‘Create’.

Your policy assignment is now active and you will be able to see it on the Assignments window.

Now that the policy is set up, let’s check it’s working. I will start by creating a VM without giving any tags. If you have been following all the steps given above as they are, then you will see a validation error when you click on Create to start the VM.

The error is pretty much self-explanatory why the VM was not launched. It required a tag which we hadn’t provided. This is how an organization can enforce tags on the resources started in it’s Azure account. An employee working on your Azure account should provide specific tags for the resources as per the team/company policies and standards.

Now, to fix the above error, give the billing tag which I had mentioned earlier and check if resolves the error and starts the virtual machine.

The above screenshot is proof that the policy worked perfectly and the virtual machine was launched only after we provided the billing tag. You can use tags such as environment, username or any other tags as per your use case. Do not forget to delete the VM and associated resources once the testing is done to avoid unnecessary billing.

I hope you found this blog useful. Please post your valuable comments in the below section. Checkout this space for more such technical blogs.