Before Lab 5.4 — The Power of Tags
Before Lab 5.4 — The Power of Tags
In Labs 5.2 and 5.3 you've seen tags as a compliance requirement — something you enforce with Azure Policy. But tags are far more powerful than just being a box you check for governance. They're one of the most versatile tools in your cloud toolkit.
Tags beyond compliance
Tags are user-defined key-value metadata on every Azure resource. You can add up to 50 tags per resource (the total count of tags, not per-key), and the same tag key can have different values across resources. This flexibility makes tags incredibly useful for things that have nothing to do with compliance:
1. Cost tracking and allocation
Every Azure subscription has a budget, but without tags, you can't tell which team or project spent what. Tags like cost-centre, owner, environment turn raw spend into actionable reports:
Azure Cost Management → Cost analysis → Group by: Tag (cost-centre)This gives you a breakdown like:
| cost-centre | Monthly spend |
|---|---|
| IT-12345 | €4,200 |
| IT-67890 | €1,800 |
| IT-11111 | €6,300 |
Without these tags, you'd just see a total — no way to hold teams accountable or identify waste.
2. Tag-aware access reviews
Azure RBAC doesn't natively support filtering role assignments by tags — but Entra ID Governance access reviews can be scoped by tags. For example, you can create an access review that only reviews users who have access to resources tagged environment=production, or automatically grants access to resources tagged environment=dev based on department membership.
Note: This is not the same as traditional RBAC role assignments. Tag-aware access reviews use Entra ID Governance to periodically review or provision access based on resource tags.
3. Automation triggers
Tags are the most common trigger for automation in Azure. When a resource is tagged, you can use Event Grid or Azure Monitor alerts to detect the tag change and trigger a Logic App or RunBook:
- Auto-decommission resources tagged
status=decommissioned→ trigger a deprovisioning workflow - Scale up resources tagged
status=peak-traffic→ increase VM count via an automation runbook - Notify stakeholders when a resource is tagged
status=review-needed
The key insight: tags are the interface between your infrastructure and your automation. They're the signal that tells automation what to do.
4. Security incident response
When a security incident occurs, you need to act fast. Tags let you quickly isolate affected resources:
- Tag all resources in the affected subnet with
incident=investigate - Use the tag to find all affected resources instantly across the portal and via CLI
- Apply restrictive NSG rules only to those tagged resources
- Remove the tag once the investigation is complete
Without tags, you'd have to manually check each resource — slow and error-prone during a live incident.
5. Resource lifecycle management
Tags track the state of a resource through its lifecycle:
| Tag key | Possible values | Purpose |
|---|---|---|
status | active, pending-decommission, decommissioned, maintenance | Lifecycle state |
retention | 30d, 90d, 1y, permanent | Data retention policy |
backup_schedule | daily, weekly, monthly | Backup frequency |
encryption | aes256, customer-managed | Encryption method |
Automation can then act on these tags — decommissioning expired resources, applying backup schedules, enforcing encryption standards.
Tags in your Day 5 environment
Your Day 5 infrastructure already has some tags applied by Terraform. Let's explore what they are and what else you could add:
common_tags = {
environment = "dev"
student = "<your-prefix>"
managed_by = "terraform"
day = "day-5"
}But these are just the basics. In a real environment, you'd want tags like:
cost-centre— for financial accountabilityowner— who owns this resourcestatus— lifecycle stateretention— data retention requirementsbackup_schedule— backup frequencyincident— active incident tracking
What you will do in this lab
In this lab, you'll explore the power of tags beyond compliance:
- Explore existing tags on your Day 5 resources and understand what they tell you
- Add new tags that reflect real-world operational needs (cost-centre, owner, status)
- Use tags for cost allocation — view cost reports grouped by tag in Azure Cost Management
- Simulate an incident response — use tags to quickly identify and isolate affected resources
- Simulate a tag-based automation trigger — document how you would design an Event Grid or Azure Monitor alert to respond to tag changes
#note( "This lab is about exploration — there are no 'wrong' answers. The goal is to understand how tags connect infrastructure to the business processes around it: cost, operations, security, and lifecycle management." )
What to look for in Lab 5.4
Lab 5.4 checklist
Lab focus
In Lab 5.4, you're exploring the operational power of tags — how they connect your infrastructure to cost tracking, incident response, and automation. The goal isn't to enforce anything; it's to understand what tags enable.
Check before starting
You should be able to answer these questions before starting the lab:
- Why is a
cost-centretag more useful than just looking at total subscription spend? - How could tags help you respond faster to a security incident?
- What tag would you add to track which resources need decommissioning?