Apply and manage tags on resources
Resource tags allow you to apply custom metadata to your Azure resources to logically orga- nize them and to build out custom taxonomies. A tag is a name and a value pair. For example, suppose as you deploy resources in Azure, you want to track the environment the resource is associated with. To do this, you can create a tag called Environment and the value Production for all resources in production. For downstream environments such as development or test environments, you can use the same Environment tag with the Dev/Test value. Common tags include the environment with which a resource is associated, a cost center or billing code, and resource owner.
As tags are applied, you can query the resources in your subscription using your tags, and you can even do this across resource groups. This allows you to understand related resources across resource groups for both billing and management. Tags are also included in the billing data for Azure Cost Management + Billing. Cost Management + Billing gives a clear line of sight for chargeback to understand resource usage and cost. Figure 1-41 shows an example of an export with resource tags from an Azure EA subscription.
FIGURE 1-41 Azure detailed usage export
When planning for resource tags, any taxonomy should include a strategy for both on-demand (or self-service) tagging and automatic tagging through Azure Policy. In the“Configure Azure policies” section, you learned how to automatically apply tags using Azure Policy. In this section, you will learn how to create tags and manually apply them to resources.
As you plan your tagging taxonomy, be mindful of the limitations of tags in Azure, as detailed in Table 1-3.
TABLE 1-3 Azure tag limitations
TaG LIMIT | Notes |
Resource support | Not all resource types support tags. This means that you will not be able to apply tags to everything in Azure. For example, management groups, network interfaces and generalized VMs don’t support tags. Refer to this link: https://learn.microsoft.com/en-us/azure/azure-resource-manager/ management/tag-support. |
Number of tags | Most resources, resource groups, and subscriptions are limited to 50 tags. Each resource can have different tags. Some resources, such as Azure Automation, DNS zones, and Azure CDN, are limited to 15 tags. |
Tag name | Tag names cannot exceed 512 characters. For storage accounts, tag names are limited to 128 characters. |
Tag value | Tag values cannot exceed 256 characters. |
Tag inheritance | Tags are not inherited by child resources. Tags applied to a resource group are not applied to resources in that resource group. |
Classic resources | Tags cannot be applied to classic resources and are only available for resources created in the Azure Resource Manager model. |
Illegal characters | Tag names cannot contain the following characters: <, >, %, &, \, ?, /. Additionally, some resources such as Azure Front Door also restrict using # or : in the tag name. |
To apply tags to a subscription, resource group, or resource, the user applying the tag must have write access to the resource (Contributor role or higher access).
Tags can be created and applied to Azure resources through
- The Azure portal
- Azure PowerShell
- The Azure CLI
- Resource Manager templates
- Resource Manager REST API
This means tags can be applied both in an imperative manner and declaratively through Resource Manager templates. While this can be done through the Azure portal, PowerShell, the CLI, or Resource Manager, templates or policies are better suited when this is being done as resources are created because you don’t want to perform this manually for each resource after deployment.
Tags can be applied at the subscription, resource group, and/or the resource level. Note again that there is no inheritance for tags. If you need a tag to be applied to all resources in a resource group, each resource must be tagged individually.