Enterprises are now, more than ever, living in a multi-cloud environment managing highly complex pricing structures and an onslaught of new cloud services. The key to success is implementing enterprise-grade governance platforms that enable you to efficiently optimize costs across all cloud providers and ensure that you have access to any and all of the cloud services that your company requires.
The tagging of cloud resources is a critical foundation for your cloud governance initiatives. You will need a consistent set of tags that will be specifically used for governance and will apply globally across all of your resources. These global tags will add metadata specific to your organization that helps you better categorize each of your cloud resources for cost allocation, reporting, chargeback and showback, cost optimization, compliance, and security.
Defining Your Tagging Policy
Your cloud governance team should lead a process of defining your global tagging policy. It will be important to work with key stakeholders to get feedback and buy-in. Global tags should be applied consistently by all applications and teams in your organization. Individual teams or applications may add additional tags for their specific needs as well.
Absent a tagging policy, it is common for teams or individuals within the same organization to use variations of the same tag, which makes it extremely difficult to achieve accurate reporting. To effectively use tags for reporting and governance purposes, it is critical to create a policy that defines consistent naming conventions, including spelling, uppercase/lowercase, and spacing.
Once the required global tags have been specified, adding the global tags should be the responsibility of the resource owners and development teams. Central IT may assist with scripts and tools. Automation is key to implementing tags. For example, if you are using a Cloud Management Platform for provisioning, all templates should be set up to attach the appropriate tags.
Examples: Recommended Global Tags
Here is a template with a recommended set of global tags that you can customize with your specific tags and naming convention:
|Environment||env = devenv = testenv = stageenv = prod||Used to identify the environment type|
|Billing||bu = bigbucostcenter = salesregion = emeaowner = jsmith||One or more tags used to allocate costs|
|Application||app = bigappsvc = jenkins||One or more tags used to define the application or service|
|Compliance||dataresidency = germanycompliance = piicompliance = hipaa||One or more tags used to define compliance requirements|
|Optimization||schedule = 24×7/GMT+1schedule = 12×5/GMT-8maxruntime = 14days||One or more tags to use in automated optimization|
Tags by Cloud Provider
Each cloud provider has different limits and restrictions on tags.
|Tags per resource||50||15||64|
|Length of key||127||512||63|
|Length of value||256||256||63|
|Case sensitive||Yes (keys and values)||No||Lowercase only|
|Allowed characters||Letters, spaces, numbers, and + – = . _ : / @||Alphanumeric||Lowercase letters, numeric characters, underscores, and dashes. International characters are allowed.|
|Notes||Don’t use aws: prefix as that is reserved for AWS.You must “activate” particular tags for cost allocation so that they show up in billing reports.Maximum active tag keys for Billing and Cost Management Reports: 500.||Can tag on Azure Resource Manager (ARM) resources only (not classic Azure).Tag at Resource Group or Resource level. Suggest resource level for better cost allocationCombine tags or use JSON string if exceeding the 15 tag limit..||Labels are a Beta service.Keys must start with a lowercase letter.Tags are called “Labels” in GCP.There are “network tags” in GCP used to apply firewall rules. These are separate from labels.|
|Taggable resources||EC2 ResourcesOther Services||All ARM resources can be tagged.List of ARM services||List|
|Documentation||Tag DocsUser-Defined Tag Restrictions||Tag DocsBest Practices||Label Docs|
Implementing Your Tagging Policy
To effectively implement your tagging policy, you will need to create a staged rollout process.
Stage 1: Define Tagging Policy
Your cloud governance team leads a process to define a global tagging policy. It will be important to work with key stakeholders to get feedback and buy-in.
Stage 2: Reporting
Your cloud governance team provides ongoing weekly reports to show the level of coverage for global tags by team or group. These reports help to show current state and also track improvements in tag coverage.
Stage 3: Alerting
Your cloud governance team sets up daily automated alert emails on resources that are missing the required tags. Some organizations may choose to stop at Stage 3 if they have achieved the desired adoption of global tags.
Stage 4: (Optional) Alerting with Automated Termination or Escalation
Alerts on untagged resources give a defined window (24 hours, for example) to tag resources. If not tagged, resources can be terminated (only for non-production workloads) or an escalation can be sent to managers.
Ongoing Monitoring of Tagging
Once you’ve implemented your tagging policy, your cloud governance team should set up ongoing weekly reports to monitor the level of coverage for global tags by team or group. These reports help to show the current state and also track improvements in tag coverage.
The cloud governance and central IT teams should also set up automated “tag checking” to alert on missing tags and enforce the use of tags. Enforcement could, in some cases, include adding default tags or even terminating instances that aren’t tagged correctly.
Good Tagging for Good Governance
Today, a well-designed and disciplined tagging approach is critical to good cloud governance. Putting this foundation in place and using automation to maintain good tag hygiene will support the success of your critical governance initiatives for cloud cost reporting, cloud cost optimization, and cloud security.
This article also appears in InfoWorld & Flexera.