Discover our new product to help you understand usage and control costs in Azure. Explore Overcast.

AZURE 9 MIN READ

Govern Your Way to Lower Azure Costs: A Primer

Leigh Ryan
WRITTEN BY LEIGH RYAN
Govern Your Way to Lower Azure Costs: A Primer

If you want to be able to deliver on the promise that moving to the cloud will save your organization money, you need to get organized.

The best place to start tackling the elastic, and often confusing, nature of Azure costs is to design and implement a solid governance plan that accounts for matters of visibility, ownership, resource lifecycles and optimization. Done correctly, good cloud governance will ensure you maximal visibility and control over your resources, allowing you to minimize the guesswork involved in optimizing cloud asset costs.

Azure Cost Governance 101

What do we mean by governance? According to our friends at Microsoft, “governance refers to the ongoing process of managing, monitoring, and auditing the use of Azure resources to meet the goals and requirements of your organization.” Think of your governance plan as the foundation for managing your entire Azure infrastructure. It should be designed with scalability in mind and span the entire scope of your environments.

There are four main areas you should focus on when designing your cloud cost governance strategy in Azure—we call it the VOLO approach. (Of course, you can apply these general guidelines regardless of which cloud service provider you use):

  1. Visibility

  2. Ownership and permissions

  3. Lifecycle management

  4. Optimization

VOLO: 4 Pillars of an Effective Azure Governance Plan

1. Visibility

When it comes to smart cloud governance, implementing and enforcing strict-but-scalable policies defining how resources should be labelled, categorized and interacted with is absolutely crucial. Not only will the visibility you’ll gain from good organization help you work more efficiently, but it’ll also make it a lot easier to understand your Azure bill and perform accurate chargebacks.

How can you make sure you’re getting as much visibility over your environments as possible? In Azure, implementing tags and a logical naming convention will help you stay on top of which resources are being used, how they’re being used, and who’s using them. We’ll get into the details of these two concepts and their practical applications in upcoming blog posts, but here’s the gist:  

1.1. Establish a well-thought-out naming convention

This will allow you to identify the various building blocks of your Azure environment consistently, whether you’re working in the portal, analyzing your bill, or creating and deploying scripts. For example, you might decide to name your subscriptions according to a <CompanyName> <Department> <ProductLine> <Environment> structure: 

myCompany marketing sharedApps prod

When setting up your naming convention, consistency is key. The goal is to give your subscriptions, resources and groups descriptive, logical names that you can quickly scan and glean information from without having to dig into the metadata. Don’t just decide on a common set of affixes; also state whether they should be used as prefixes or suffixes, and stick to those rules at all times. You can use affixes to specify things like: 

  • The region in which a resource is deployed (ce for Canada East, uw for US West)

  • A resource’s environment (dev, prod) 

  • A resource’s instance, if there are multiple (01, 02 or v1, v2) 

If you’ve migrated (or are planning to migrate) your environment to the cloud from an existing physical infrastructure, chances are you already have a naming convention in place; familiarize yourself with Microsoft’s best practices to find out how you can optimize your existing standards for Azure.

1.2. Use tags to append metadata to your resources

If you’re new to tags, consider how your music collection is organized. Individual songs can be sorted and grouped according to a bunch of different criteria: maybe you feel like listening to smooth jazz, or Metallica, or that one Britney album you secretly love. As long as all of this information is consistently assigned across your entire library—if there’s a typo in Track 4’s Album title value, it’ll be segregated from rest of the record—the soundtrack to your current mood is always a quick keyword search away.  

Tags in Azure work pretty much the same way: they let you quickly bring up related resources (or songs) according to whatever common denominator you want to filter by (a specific artist), regardless of their resource group (it doesn’t matter which album). You can assign tags in the Azure Portal or via PowerShell (many more usage examples here): 

$r = Get-AzureRmResource –Name Toxic -ResourceGroupName examplegroup 
Set-AzureRmResource -Tag @{Artist="BritneySpears"; Album="InTheZone"} 
-ResourceId $r.ResourceId -Force )

Tags in Azure are made up of two components: a name (e.g. Department) and a value (e.g. Sales). Tags are only as effective as the taxonomy that supports them, so take the time to devise a plan before you start applying them to resources. If you use Album name on some tracks, but Album title on others, you won’t be able to retrieve the full Album with a single filter. Refer to Microsoft’s documentation for more on tags and how to use them.

2. Ownership and Permissions

Because security concerns are among the main reasons organizations hesitate to move to the cloud, we recommend approaching your governance plan from a risk-management perspective first and foremost (bonus: you’ll save money too). Identity management is a crucial, foundational component of both security and cost management: it’s your first line of defense against resource misuse and mushrooming costs.

In the decentralized context of an Azure environment, designating a primary contact who’s responsible for each resource is a best practice that’ll help you keep your user base accountable. A good way to track this is to create a PrimaryContact tag and use that person’s email address as a value. That way, if you notice a resource that’s been idle for some time, for example, you’ll be able to contact the resource owner directly to find out what’s going on and take cost-cutting measures accordingly. 

In addition to ownership tagging for accountability, you should use a role-based access control (RBAC) model to oversee and manage which resources a given user can create, view, edit or delete. Concretely, this will enable you to create role assignments, which in turn will allow you to enforce permissions at a granular level, with the main goal of stopping cloud sprawl and unplanned costs before they have a chance to materialize.

There’s a lot more to ownership and permissions, but one key recommendation to keep in mind on the security front is to operate on the principle of least privilege—grant users the minimum possible access in order to get their job done. 

3. Lifecycle Management

When your resources are in the cloud, it’s easy to waste money on idle databases or unneeded storage space if you aren’t keeping track. Even if you don’t really know how long you’re going to need to keep a given resource active for, setting an expiry date will force you, as IT, to periodically re-evaluate your usage and get rid of anything that’s no longer relevant. (And if you systematically assigned ownership to those resources when they were created, you’ll know just who to ask about deleting them!).

Once again, tagging proves useful: all you need to do is create an ExpiryDate tag with your desired deadline in a YYYYMMDD format. Just keep in mind that tags are nothing more than metadata—it’s up to you to make that information useful. You could, for instance, write a script that runs every week and flags resources that have reached their deadline, or even implement more complex automation to ping a resource’s designated primary contact whenever action is required. 

4. Optimization

Here’s where all that careful planning and rigorous application comes in handy. The more information you have on each resource within your Azure tenant, the easier it becomes to anticipate, understand, and act upon your bills. If you notice a spike in costs, you’ll want to be able to pinpoint the resource that’s causing it and make an informed decision on how to minimize the effects on your spending. Could you shut down that VM on weekends? Do you really need duplicate storage accounts in multiple geographic regions?

The Azure Portal and the new Azure Cost Management feature can give you a general overview of how your cloud spending breaks down. However, they lack many of the more robust reporting and recommendation capabilities provided by third-party apps.

Give Yourself the Full Picture of your Azure Costs

Whether your subscription is pay-as-you-go or part of an Enterprise Agreement, monitoring and understanding costs in Azure requires a lot more foresight than your old on-premises environment did. Ensuring a smooth transition to the cloud for your team, your end users and upper management alike is the responsibility of IT above all, and controlling your Azure spend is a big part of that equation. Just as migrating to the cloud has become an inevitable eventuality for businesses across all fields, creating new solutions and championing a whole new mindset is now an imperative for the entire IT workforce. It’s time to think VOLO!