Flexera logo
Image: Tagging Best Practices for Cloud Governance and Cost Management

Enterprises are now, more than ever, living in a multi-cloud environment managing highly complex pricing structures and an onslaught of new cloud services. The key to success is implementing enterprise-grade governance platforms that enable you to efficiently optimize costs across all cloud providers and ensure that you have access to any and all of the cloud services that your company requires.

Tagging of cloud resources is a critical foundation for your cloud governance initiatives. You will need a consistent set of tags that will be specifically used for governance and will apply globally across all of your resources. These global tags will add metadata specific to your organization that helps you better categorize each of your cloud resources for cost allocation, reporting, chargeback and showback, cost optimization, compliance, and security.

Defining Your Tagging Policy

Your cloud governance team should lead a process of defining your global tagging policy. It will be important to work with key stakeholders to get feedback and buy-in. Global tags should be applied consistently by all applications and teams in your organization. Individual teams or applications may add additional tags for their specific needs as well.

Absent a tagging policy, it is common for teams or individuals within the same organization to use variations of the same tag, which makes it extremely difficult to achieve accurate reporting. To effectively use tags for reporting and governance purposes, it is critical to create a policy that defines consistent naming conventions, including spelling, uppercase/lowercase, and spacing.

Once the required global tags have been specified, adding the global tags should be the responsibility of the resource owners and development teams. Central IT may assist with scripts and tools. Automation is key to implementing tags. For example, if you are using a Cloud Management Platform for provisioning, all templates should be set up to attach the appropriate tags.

Examples: Recommended Global Tags

Here is a template with a recommended set of global tags that you can customize with your specific tags and naming convention:

Tag Type Examples Purpose
Environment env = dev

env = test

env = stage

env = prod

Used to identify the environment type
Billing bu = bigbu

costcenter = sales

region = emea

owner = jsmith

One or more tags used to allocate costs
Application app = bigapp

svc = jenkins

One or more tags used to define the application or service
Compliance dataresidency = germany

compliance = pii

compliance = hipaa

One or more tags used to define compliance requirements
Optimization schedule = 24×7/GMT+1

schedule = 12×5/GMT-8

maxruntime = 14days

One or more tags to use in automated optimization

Tags by Cloud Provider

Each cloud provider has different limits and restrictions on tags.

AWS Azure Google (GCP)
Tags per resource 50 15 64
Length of key 127 512 63
Length of value 256 256 63
Case sensitive Yes (keys and values) No Lowercase only
Allowed characters Letters, spaces, numbers, and + – = . _ : / @ Alphanumeric Lowercase letters, numeric characters, underscores, and dashes. International characters are allowed.
Notes Don’t use aws: prefix as that is reserved for AWS.

You must “activate” particular tags for cost allocation so that they show up in billing reports.

Maximum active tag keys for Billing and Cost Management Reports: 500.

Can tag on Azure Resource Manager (ARM) resources only (not classic Azure).

Tag at Resource Group or Resource level. Suggest resource level for better cost allocation

Combine tags or use JSON string if exceeding the 15 tag limit..

Labels are a Beta service.

Keys must start with a lowercase letter.

Tags are called “Labels” in GCP.

There are “network tags” in GCP used to apply firewall rules. These are separate from labels.

Taggable resources EC2 Resources

Other Services

All ARM resources can be tagged.

List of ARM services

Documentation Tag Docs

User-Defined Tag Restrictions

Tag Docs

Best Practices

Label Docs

Implementing Your Tagging Policy

To effectively implement your tagging policy, you will need to create a staged rollout process.

Stage 1: Define Tagging Policy

Your cloud governance team leads a process to define a global tagging policy. It will be important to work with key stakeholders to get feedback and buy-in.

Stage 2: Reporting

Your cloud governance team provides ongoing weekly reports to show the level of coverage for global tags by team or group. These reports help to show current state and also track improvements in tag coverage.

Stage 3: Alerting

Your cloud governance team sets up daily automated alert emails on resources that are missing the required tags. Some organizations may choose to stop at Stage 3 if they have achieved the desired adoption of global tags.

Stage 4: (Optional) Alerting with Automated Termination or Escalation

Alerts on untagged resources give a defined window (24 hours, for example) to tag resources. If not tagged, resources can be terminated (only for non-production workloads) or an escalation can be sent to managers.

Ongoing Monitoring of Tagging

Once you’ve implemented your tagging policy, your cloud governance team should set up ongoing weekly reports to monitor the level of coverage for global tags by team or group. These reports help to show the current state and also track improvements in tag coverage.

The cloud governance and central IT teams should also set up automated “tag checking” to alert on missing tags and enforce the use of tags. Enforcement could, in some cases, include adding default tags or even terminating instances that aren’t tagged correctly.

Good Tagging for Good Governance

Today, a well-designed and disciplined tagging approach is critical to good cloud governance. Putting this foundation in place and using automation to maintain good tag hygiene will support the success of your critical governance initiatives for cloud cost reporting, cloud cost optimization, and cloud security.

This article also appears in InfoWorld.