This is an introduction to cloud resource tagging and labeling: If you are concerned with building a cloud architecture, then this blog post is for you! Tagging and labeling is an early stage topic of your cloud journey. It forms the foundation of an organized and structured growth.
In this post we will cover:
- Why tagging is an integral part of every cloud journey
- 5 steps to a winning cloud tagging strategy
- Common use cases of cloud resource tagging
- How to stay consistent across multiple platforms
- How meshcloud takes tagging to the next level
What are Cloud Resource Tags?
A tag is a label assigned to a cloud resource to apply custom metadata. Anything is taggable - from the cloud tenant on the top level to resource groups to single resources like virtual machines and databases.
Tags come as key value pairs:
The key describes the kind of the tag that is then further specified by its value. For example the key could be
environment and the values coud be
There are two different kinds of tags: The ones that are automatically generated by the cloud service provider - e.g. instance or subnet IDs - and user-defined tags.
For the purpose of this post we'll focus on the user-defined tags since they enable us to freely enrich our cloud resources with the information we consider relevant.
Why a tagging strategy is an absolute must-have
One central advantage of using the cloud is rapid scalability. And with this comes the necessity to keep track of what is going on in your cloud infrastructure while it is constantly growing and changing. That's where tags come in: You will need a consistent set of tags to apply globally accross all of your resources following a consistent set of rules. Tagging is the corner stone to an effective cloud governance: Cost allocation, reporting, chargeback and showback, cost optimization, compliance, and security - all these aspects can only be managed with proper tagging in place.
Everything can be put into this mnemonic: Tag early, tag often.
Five steps to a winning tag management strategy
Tagging early and tagging often requires a tag management strategy that streamlines tagging practices across all teams, platforms and resources.
The cloud governance team - or cloud foundation team - should take the lead in defining your global tagging strategy.
Here are 5 steps to get you started:
Bring the stakeholders together
Get everyone involved in the process who will be using tags or might have something to contribute to the integration of the strategy in the overall company processes. Of course these are DevOps representatives, but also non-technical roles from accounting or marketing or any other group using cloud resources. Meet as a group to get the full picture, hear everybody's concerns, avoid misunderstandings and save yourself the trouble of making changes later. If your organization already uses tags, start with auditing what is there.
Understand the purpose
It is important to have a common understanding of what problems the cloud resource tagging is supposed to solve. Define these questions early on in the process - here are some examples of what they could be:
Which business unit within the organization should this cost be charged to?
Which cost centers are driving my costs up or down?
How much does it cost to operate a product that I’m responsible for?
Are there unused resources in my dev/test environment?
Focus and keep it simple
You will not be able to set up an all-encompassing tagging strategy that will be valid for eternity. So don't make that your objective - keep it simple and set your focus. To get started, choose a small set of required tags you will need in the short term and build on them
as needed. Choose three to five pressing areas you want to understand. For example focus on cost reporting and align these tags with internal reporting requirements. Aim for an intuitive system to build on - more layers and granularity can be added further down the road.
Define the naming convention
You will need to decide on a naming convention for your tagging system. This is the backbone of everything you're trying to accomplish with your tagging strategy and must be enforced globally. If your company uses multiple cloud platforms or is planning on doing so, take into account that the platforms have different requirements for character count, allowed characters, case-sensitivity and so on. You can consult our tags and labels cheat sheet to help you with that.
Document everything and make it count
Make sure to document everything you agree upon in this cross-sectional team working on the tagging strategy. This documentation should cover the naming convention, the policies when to use which tags and the reasoning behind these decisions.
An organization-wide tagging strategy should make sure that tagging stays consistent on a global level. But take into account that individual teams or applications may add additional tags for their specific needs as well.
Common Use Cases for Cloud Resource Tagging
We've been talking about how tagging is absolutly essential and coming up with a tagging strategy should be an early stage step in setting up your cloud governance.
Here are the most common use cases to show you why:
Cloud Cost Management
Gain transparancy when it comes to cloud usage and costs: Tagging cost centers, business units and specific purposes help you keep track.
Cloud Access Management
Proper tagging enables administrators to control the access of users or user groups to resources or services.
Cloud Security Management
Tags are essential to identify sensitive resources and keeping them secure. For example, tagging the confidentiality classification helps to find the S3 bucket that's public and definitely shouldn't be or prevent that from happening in the first place (we'll come to that later).
The added metadata of tags enable a whole new level of automation: Many different automation tools can read these tags and utilize them to make your life easier in almost every regard concerning the previously mentioned use cases.
Challenges of Tagging in Multi-Cloud Architectures
Most companies use multiple cloud platforms and - in one way or another - struggle with the governance of their cloud architecture. Tags are here to help! BUT there are a few caveats that you need to be aware of to actually make things better.
Each cloud platform has its own tagging constraints - Google doesn't even call them tags but labels.
These questions will come up:
- How many tags per resource are possible?
- How many characters per tag and which characters are not allowed?
- Is there a difference in requirements for keys and values?
- What exceptions are there?
To help you with that we've created our Cheat Sheet for Tags and Labels on Cloud Platforms. There you can look up the differences in Azure, AWS and GCP tagging and labeling.
Consistency in the usage and naming of tags becomes even more important when working in a multi-cloud architecture. It is extremly critical if you want to do queries based on tags - inconsistencies and typos can ruin the whole point of what you were trying to achieve.
Making the Most of Tagging with meshcloud
Now that we've covered what tags are, what they are good for and how to create a tagging strategy to drastically expand the possibilities for cloud governance, we'll talk about how meshcloud takes this to a whole new level:
With meshcloud cloud governance or cloud foundation teams can define tags globally in one single place. This is incredibly helpful in keeping tags consistent across all platforms, teams and resources.
meshcloud enables you to set and enforce tag formats, patterns and constraints globally and make them work with all cloud platforms. With meshcloud, you define your tags as JSON and these can be entered in the UI either by employees themselves, or only administrators.
meshcloud enables cloud foundations teams to enforce possible tag values to a very granular level. You'll never have to worry if team members make typos or use different values for your tags. It is even possible to enforce the format of values using RegEx. For example, if your cost centers look like
ACME-12345, you can enforce this format globally for all clouds.
And, remember when we discussed tag constraints on cloud platforms? We got you covered here. If a tag value is not valid in a cloud platform, meshcloud automatically converts this value to a valid value inside of the cloud. For example, GCP would not allow
www.meshcloud.io as a value. It will automatically be converted to
www_meshcloud_io , which is a valid GCP value.
Implementing your global tagging strategy across all clouds is not the only value meshcloud has to offer. With our policies we enable our customers to set and enforce rules based on tags across all platforms, teams, projects and landing zones. This gives cloud foundation teams even more control over who has access to what. For example, you could enforce a certain Azure blueprint to be only used for production projects. Or you enforce that teams can only create projects for the environment they have been approved for. This makes sure that teams will not create production projects without being approved first.
Authors: Wulf Schiemann and Jelle den Burger